Network Configuration
Last updated
Last updated
ISPbills all right reserved.
See the following:
Mikrotik license types
Where to download the Mikrotik CHR and the Winbox tool
Connect to mikrotik through Winbox
Change username and pass when accessing mikrotik
Reset our router
Dhcp client and server configuration
Where DNS and gateway are configured
Name and create ips
Create vlans and do it with a single router
Create a VPN with IPsec protocol
Configure Firewall Rules for a DMZ
Our first step will be to go to the official Mikrotik page, once inside we go to the Software tab and then to Download, here you have to take something into account, the RouterOS operating system goes for licenses, here we can see the different types of licenses and what each one offers us, taken directly from the official mikrotik website.
As we can see, there is a free license in a demo plan, but as it is a trial it does not bring all the features, we must bear in mind that these licenses only need to be purchased if we want their software to have a PC as a router, since the different products When you buy mikrotik Hardware, they already come with a license level which is specified in their characteristics. This is something important because in several video tutorials they do not specify it, using trial licenses or some that they already have purchased without specifying it.
Therefore we must download the Cloud Host Router , which is nothing more than a free version with all the RouterOS tools with the only downside that the browsing speed will be 1 MB, this version comes in several formats to be able to be virtualized, for this reason we download the OVA template version to be recognized by Virtualbox and from them the Stable version.
Once downloaded, the process to install it in Virtualbox is the same as that of any imported OVA, as soon as the ova is imported we will only have to define the network interfaces that we are going to use, which in this case we will use all 4, and define what type they will be what ether 1 will be the WAN so we will leave it in bridge mode so that it takes the ip by DHCP from our home router, and the other 3 interfaces we will put as internal networks for the DMZ and the 2 LAN networks.
As soon as we have it ready we turn it on. And the first thing it will ask us for will be the login, which by default will be admin and password will be none.
As soon as we enter we can see that it is a terminal that works by command line, because its infrastructure derives from Linux, in the following image with the ip address print command we can see that the interface that was defined as a bridge in virtualbox already has a assigned ip.
And if we use the interface print command, it will give us information about all the connected interfaces.
The fact that the mikrotik Software works by command line has its positive and negative parts.
As a negative part, we find that we must learn new commands, and also according to some network administrators of forums that some advanced configurations must be done via CLI, hence mikrotik as well as Cisco have their own courses and certificates to learn everything that we it can offer.
On the positive side, we can create scripts to automate tasks or even to load network configurations if these are the same or similar, from github many people make available to everyone, script to perform multiple tasks and different configurations.
But Mikrotik can also be configured graphically, via the web or with tools like Winbox which will be the one we will use.
To do this we can download Winbox from Mikrotik's own page, we just have to choose the 32 or 64 bit version, once you download its installation it is very simple, you just have to choose the path where it will be installed and click next.
As soon as we open Winbox, a screen like the one below will appear in which it will begin to track the different Mikrotik equipment that there is.
As we can see in the images, it has detected 2 Mikrotik computers, which in this case are both CHR, but one has an IP and the other does not, this is because when downloading the CHR OVA it is already configured for IP but the other OVA As it has been reset, it loses that configuration that it brings by default, but Winbox can enter directly through the MAC, and once inside, configure the IP of the Interfaces, and then enter the IP, admin name and password that we have defined in your first setup.
Once a team has been selected, we click Connect and the main Winbox screen will appear, which is the following.
Practically in the left menu we will have all the necessary tools to make the necessary configurations to our Router.
As the first steps we will start by resetting the router configuration, for this from the left menu we go to System → Reset Configuration In the new window we mark the boxes No Default Configuration and Do Not Backup, and then we click the Reset Configuration button
Our next step will be to give you a username and password, for this we go to System → Users and the admin user will appear that comes by default, we will add a new user by giving the plus symbol, we give it a name, password and We put it in the full group so that I have the privileges of an admin. We give the Apply button and then OK, once created we mark the admin user and we can delete or disable it, pressing the minus button or the cross respectively.
Now if we disconnect and reconnect we will see that it will prevent us from entering with the user admin, having to use our new created user. To disconnect we just click the Session button on the toolbar and then Disconnect .
The next step we are going to do is define the interfaces, giving each one a name to be able to differentiate them and that they correspond to what is defined in the virtualbox interfaces. To do this, we just have to double click on each interface and give it a name in the window that will appear and then OK. If, for whatever reason, we do not have the interfaces window that appears by default when starting Winbox, we just have to click where it says Interfaces in the left menu.
We must bear in mind that everything we are doing in Winbox can be directly reflected in the RouterOS terminal, so if we open a terminal from Winbox by giving New terminal from the left menu and execute the previously used command from interface print we will see how now all interfaces are named.
The next step will be to give the IP to the WAN, as it is configured as bridge mode in virtualbox, we will make it receive the IP in DHCP client mode and let the home router provide it. To do this, in the left menu we go to IP → DHCP Client , in the new window we click the plus symbol, and in the new window we select the interface that in this case will be the WAN and we click the OK button.
We have seen that the WAN has been left as a dhcp client, but if it were an ISP with a static public IP it can also be done, we will show how it is done and in the process we will configure static IPs for the LAN and DMZ networks. To do this we go to the left menu, we give IP → Addresses , a window will appear where only the IP of wan given by dhcp will be, so we give the plus symbol to add an IP.
By giving the plus symbol, in the new window that appears, we must define the interface to which we are going to give the ip, we write its ip in addresses with its network mask and when giving it to apply, Winbox will fill in the Network section defining the network to which it belongs. We will do this with all the interfaces of the LAN and the DMZ, if our Router is an ISP and has a public IP we define it here, as it is not the case we can leave it as a dhcp client.
Once all the interfaces configured with their ip it would be this way.
To do this, from the left menu we must go to IP → Firewall , once here we go to the NAT tab, and we click the plus button.
In the new window being in the general tab, we must make sure that where it says chain this srcnat which is the same as source nat, and in out interface it must be the WAN .
Next we go to the Action tab, and where it says Action we must select masquerade.
At the end we click Apply and then OK
To configure the default link route, we go to the left menu, and we give IP → Route List , having the WAN by dhcp Winbox will already have it configured by default, but if we have to do it manually, we only give it to the plus symbol, and in the new window we define the gateway, which in this case is the home router, and we leave the ip addresses at 0.0.0.0/0 to define that they are all, we apply and we give ok.
To configure the DNS we just have to go from the left menu to IP → DNS , where in server we can add the dns that we want, in this example we are using the public dns of google, to add more we just give the arrow of below that is just to the right of the server screen, this will open another tab to add another dns address. If we check the Allow Remote Requests option, that will make our Mikrotik device become a dns server for our entire LAN network. We apply and we give OK.
Now we can test if our Mikrotik equipment has an internet connection, from Winbox we can open a terminal and ping Google for example as shown in the following image.
Now we are going to set up a dhcp service for the clients of the LAN, this is optional since as previously we configured our static ip to each interface corresponding to each LAN we could go to each client computer of the LAN and establish a static ip defining its gateway that corresponds to those defined in our Mikrotik team. To create our dhcp service we go from the left menu to IP → DHCP server .
In this window we can give the plus button and a window will open where we configure the parameters of our dhcp server, such as the name, which interface will be the one that the dhcp service will have, the IP concession time, the range of ip, etc.
But we also have a way to do it in a guided way. Instead of the button, we give the button that says DHCP Setup.
As we see in the image, the first thing it will ask us is which interface will correspond to the dhcp service, in this example we use LAN1 and then we click Next.
Next we will get the network address that will correspond to the dhcp server, we leave the one that comes by default and we click Next.
The next screen refers to which will be the gateway of said network, we check that it is correct, with the ip that we define for the lan 1 network and we give next.
The next window is to define the IP range that the dhcp service will provide, as an example we can define the IP range from .100 to .254 leaving a free IP range in case we need to mount a device with a fixed IP.
The next window refers to the DNS servers that you will use, in which the first 2 refer to those provided by the home router, and the next 2 to which we add when we configure the DNS.
Finally, it will ask us the lease time of our client's IP.
With the last step we will have finished setting up our dhcp service, now we only have to set up a computer on LAN1 and see if it receives an IP of the defined range and that it has an internet connection.
Our next step will be to create virtual networks for a LAN, for example suppose that in a company in the same LAN there are several sectors for example: a group of Human Resources, another group of Administrative, another of Secretaries. And for each of these named groups we want that although they are in the same network they have their own networks differentiated from each other, because for this we will create the Vlan, RouterOS supports up to 4095 vlan interfaces , each one with a unique vlan ID, for Interface.
To guide us we look at the following diagram where there will be 3 computers in the same LAN, but each one will have its own differentiated vlan, therefore we will configure the Router with the 3 vlan in the interface of LAN1, and then to simulate the switch we will do it another RouterOS where we will designate each vlan to an interface in bridge mode.
First we go to the Router that we finished configuring at the beginning, we go to interfaces from the left menu, we go to the Vlan tab and we click the plus symbol.
In this new window we define the name of the vlan, the type that will be a vlan, its identifier, since the interface will be linked. Finished we click Apply and then OK.
Once the 3 vlan are configured, we must give them their ip, for this from the left menu we go to IP → Addresses . We give the plus symbol, and we select each of the created vlan and we give it an IP for example:
Vlan10 → 10.10.10.1
Vlan20 → 20.20.20.1
Vlan30 → 30.30.30.1
Once the router configuration is finished, what we need to do is connect the router interface that corresponds to LAN1 to the main interface of the Switch. Once this is done we enter the switch through RouterOS to configure it.
The first step will be similar to the one carried out in the Router, we are going to select the ether1 interface that will be the one connected to the router and we will create the 3 vlan that we create in the Router. As in the previous step we give the plus symbol being in the interfaces window, and then Vlan, and we fill in the fields as we did in the Router, until we have the 3 vlan created.
Once the vlan are created, we are going to link each one with a switch interface for that we will make a bridge, so our next step will be to go to the left menu and then to Bridge, and then to the plus symbol to create it.
We create 3 Bridges, one for each previously created vlan, we just define the name and give OK.
Now being in the same window of the bridge we change the tab going to Ports , and then we give the plus symbol. In the window that will appear, it will be where we define each vlan with its corresponding bridge and then that same bridge with its interface, let's see the example with vlan 10.
First in interface we select vlan10_RH and in bridge we select bridge10_RRHH, apply and then ok.
We give the plus symbol again and now in the interface we select ether2, and in bridge we choose bridge10_RH again.
Now we will perform the same steps to join the ether3 with the vlan20_Secre and the Bridge20_Secretariado , and then we will join the eher4 with the vlan30_Admin and the bridge30_Administrativo . Remaining at the end everything as shown in the following image.
Now with this configuration when we connect a PC to the ether2 of the switch it will correspond to vlan 10, if we connect it to ether3 it will correspond to van 20, etc.
If instead of having a router and a switch we only have one router, the procedure would be very similar by changing a couple of things. We will start with the configuration that we made in the CHR OVA that we configured as a Switch, with the difference that now ether 1 will not be connected to a Router but to an ISP or in this case to the home Router, therefore we will configure it as dhcp client. That means that we will go to the left menu and then to IP → Dhcp client , we click the plus symbol, select the ether1 interface and click ok, as seen in the following image.
As we have said, the vlan and the bridge are already created because we start from the ova that we configured before, we have only changed for the moment that the ether 1 receives the ip by dhcp.
Now what we must do is give an address to the bridges, for this we go to the left menu, IP → Addresses and we will select each of the Bridges and we will give it an IP, BEWARE when assigning the IP to the bridge, it will make both the interface as the vlan can see that ip even if we then configure dhcp.
Now we can leave the configuration as it is assigning a fixed ip to each computer that connects to each vlan, or we can establish a dhcp service to each bridge, so let's do it. As we always go to the left menu, then to IP → Dhcp server , and then to the plus symbol or to the dhcp setup so that the wizard will guide us, the steps will be the same as those seen above when we configure the dhcp server with which we will show the image captures of how the configuration would be.
We will do these same steps for the other 2 bridges. Remaining as a final result as shown in the following image.
Another step that we must carry out is to create the masking rule in the NAT for ether 1, in the same way as was done previously, so as not to repeat we will only put the images.
But there is still a detail missing and that is that if we ping the network of another vlan, for example vlan 20, it will respond to us, and we want them not to communicate with each other.
You can also see the list of routes, in which we see the routes established in the router.
Therefore we must add a couple of rules in the Firewall, so that the vlans are not seen but if they go out over the internet. For this, in the left menu we go to IP → Firewall , File Rules tab and we give the plus symbol. Where we define that everything that goes from the 10.10.10.0 network that belongs to vlan 10 to the 20.20.20.0 network that belongs to vlan 20, we make a drop
Then we repeat the same thing but in reverse, everything that goes from vlan 20 to vlan 10 we make a drop.
Then with this we can define if we want any vlan if they are seen between them or that none are seen between them, in this case we will make them completely independent and not see each other, leaving all the rules as shown in the image.
We will start as an example of the following topography of a business network with 2 lan networks and a dmz.
We are going to configure a dmz with the following conditions, guiding us from the previous image.
The dmz network will be 192.168.30.0, where there will be one or more servers, depending on what the company needs, as an example we will put 2, an ftp server and an http server, since they are servers the ip will be fixed, they will have access to Internet.
The lan1 network will be 192.168.10.0, it will be the one that has the company's workers, and they will not have internet access.
The lan2 network will be 192.168.20.0, they will also be fixed ip since only the administrators will be there, they will have access to the internet, one will be in charge of keeping the dmz connected by ssh, without having access to the lan1 network and the other administrator will it will take care of the maintenance of the lan1 network without having access to the dmz.
The configuration that will be seen will only be firewall rules since it has already been seen before how to create networks, name ips, create dhcp, etc.
The first thing will be to redirect what enters through the WAN to our servers depending on the protocol and port they use, for this we go to IP → Firewall and then to the NAT tab, once here we will add a new rule by giving the plus symbol, in where we will put the rules shown in the following images.
As we have seen in the 2 previous images we have defined that everything that comes through the tcp protocol and port 80 redirects it to a specific IP which will coincide with the IP of our web server. We will repeat this same rule with ports 8080 and 443.
Now we will do the same with port 21, redirecting what comes through this port to the ip of the ftp server
Once all our NAT rules are finished they should look like the following image.
We are going to add one more NAT rule to later make a brief check that the port forwarding works using the home host pc and trying to connect by ssh to one of the dmz servers, using the router's wan ip. For this we will simply add the following rules as shown below.
Now we will go to the Files Rules tab within the Firewall window, the first thing we are going to do is allow the administrator of the lan2 network services to access the http and ftp servers, as there will be many images so as not to repeat both we will only see an example and then all the configuration will be shown at the end.
We can also specify the rules, defining that only connections are allowed through a specific protocol and port, leaving all the rules as follows.
The following rule allows the traffic of established and related connections.
Next, we deny with the reject action any other connection that goes from lan2 to dmz and vice versa.
With which both rules would be as follows.
Our next step will be that the Services Administrator can connect by ssh to both servers, for this we only need to create a rule as shown below.
The rest of the configurations are similar processes, so in order not to repeat, we will see in the following image how all the configured rules would be.
It is very normal that a company that has several offices wants to have a connection between them, for this reason it is usually used to create vpn so that they communicate with each other, so we are going to make an example of how to create a vpn by ipsec according to the following diagram, in the one that there will be two offices with different networks obviously and the vpn will go from one router to the other.
To better see the realization of the vpn, we are going to use two new images of the RouterOS. With a bridge adapter and another in internal network. As a first step we are going to give the interfaces a name and ip. and a dhcp server for the internal network, this will not be necessary to show it in images because it was already seen before. The next step will be to give static ip to the wan of the routers, for this we are going to show a quick and simple method that is with a mikrotik helper, for this we go to the left menu and select Quick Set .
This window that we see is like a quick initial configuration, here we can configure the following.
Within the Internet section is the WAN configuration where we will configure the following:
In Address Acquisition we define what we want to be Static
IP Address, we define the IP of the router interface with internet access
In the gateway is the IP of the home router, because all this is in a virtual way, in a real environment it will be the gateway of our ISP
And from DNS we can use the ones from google
In the Local Network part it refers to the interface that gives to our LAN network, in it we can configure:
The ip of the interface that goes to the LAN, and its mask
We activate the DHCP service for this interface, defining the range of IPs that it will provide
And we activate the NAT, for masking.
We can also define the password in passing when accessing our router. Take into account that both routers must be configured, each one with its IPs.
The next step will be to go to the left menu and click IP → IPsec , once the window is open we go to the Peer tab, and we click the plus symbol.
In this new window we must give it a name to identify our neighbor (Peer), in Address we write the public IP of the router where we want to go, in Local Address we write the public IP of the router that we are configuring right now.
We go to the Identities tab, we give the plus symbol, and in the new window we leave everything by default except the Secret section that will refer to the shared key, this must be the same in both routers, you have to look at the Peer section that corresponds to the one we created earlier.
Once this step is finished we go to the Policies tab, we click the plus symbol and in the new window in the General tab we first make sure that in the Peer section it corresponds to the one we want to configure, then we activate the Tunnel option, in the section by Src. Address we write the CIDR of the local network that belongs to the router that we are configuring, and in Dst. Address we write the CIDR of the destination local network.
All this configuration must be carried out in the other router where we want to make the tunnel, modifying only the IPs so that they correspond with the configuration of the tunnel.
When both are configured, we must check the Status tab in IPsec → Policies And within this window, we look at where PH2 State says that if it is established , in both routers, that confirms that the tunnel has been created.
We can also check this by going to the Active Peers tab within IPsec .
Or in the Installed SAs tab. Where the neighbors with whom a connection has been established, the encryption, authentication and the public IPs of both routers will be reflected
If all this is correct, our next step is to add a NAT rule in the Firewall so that both local networks can communicate and are not affected by masquerading. Therefore we go to IP → Firewall NAT tab and we add a new rule, where it says Chain we leave it as srcnat , and we define the local network and the destination network with its mask.
Once the rule is added, we must make this the first one, so we will upload it by putting it before the NAT masking rule as shown below.
NOTE: Due to the different versions of RouterOS, the configuration may vary with what is shown. Therefore, the following must be taken into account:
For the configuration of the vpn by ipsec, the CHR 6.45.8 version has been used because performing the same steps in version 6.46, some problem always occurred.
The interfaces of the routers that gave access to the internet were left in client mode by dhcp, because as it is a virtualization it was better for the home router to give them the ip and the dns.
In the NAT rule to avoid masking in the Protocol section, it had to be defined (although it is not always necessary), what you have to do is check if there is a connection between both networks by pinging and depending on whether there is a connection or not, it will be necessary to modify the protocol of the nat rule, in this case it was 50 (ipsec-esp) , in order to know or modify the type of protocol that IPsec uses, we go to IP → IPsec Policies tab and then to the Action tab, as shown in the next picture.