Mikrotik
From My notepad
Setup system emailer
I have noticed that in RouterOS v2, the emailer uses the system identity as the HELO/EHLO host name. Some mail servers won't accept a host name with spaces or other characters. RouterOS v3 doesn't seem to be effected by this.
The following is for version 3 and 4:
/tool e-mail set server=69.18.98.42:587 from="mikrotik@bignetworks.com" /system watchdog set auto-send-supout=yes send-email-to=notify@bignetworks.com send-smtp-server=69.18.98.42
The following is required for version 5:
/tool e-mail set address=69.18.98.42 port=587 from="mikrotik@bignetworks.com" /system watchdog set auto-send-supout=yes send-email-to=notify@bignetworks.com send-smtp-server=69.18.98.42
NTP Client and Time Zone
/system clock set time-zone-name=America/Chicago /system ntp client set enabled=yes mode=unicast primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
Google Public DNS Settings
For newer routers:
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4
For older routers:
/ip dns set allow-remote-requests=yes cache-max-ttl=1w primary-dns=8.8.8.8 secondary-dns=8.8.4.4
OpenDNS DNS Settings
For newer routers:
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=208.67.222.222,208.67.220.220
For older routers:
/ip dns set allow-remote-requests=yes cache-max-ttl=1w primary-dns=208.67.222.222 secondary-dns=208.67.220.220
Protecting your WAN Interface
# Pick your WAN input interface # DO NOT COPY AND PASTE ALL THESE RULES!!! / ip firewall filter add chain=input in-interface=ether1 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether2 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether3 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether4 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether5 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether6 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether7 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether8 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether9 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether10 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=ether11 action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input in-interface=pppoe action=jump jump-target=protect-wan-input src-address-list=!allowed-management comment="Filter WAN input" disabled=no add chain=input action=jump jump-target=protect-wan-input in-interface=vlan src-address-list=!allowed-management comment="" disabled=no # The protect-wan-input chain / ip firewall filter add action=drop chain=protect-wan-input comment="Protect services running on the WAN interface" disabled=no dst-port=21 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=22 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=23 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=53 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=53 protocol=udp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=80 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=443 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=3128 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=8080 protocol=tcp add action=drop chain=protect-wan-input comment="" disabled=no dst-port=64872-64875 protocol=tcp add action=jump chain=protect-wan-input comment="" disabled=no jump-target=manage-icmp protocol=icmp add chain=protect-wan-input action=accept comment="Log traffic WAN traffic" disabled=no # manage-icmp chain / ip firewall filter add chain=manage-icmp protocol=icmp icmp-options=8:0 action=accept comment="Allow pings" disabled=no add chain=manage-icmp protocol=icmp icmp-options=0:0 action=accept comment="Accept responses to our pings" disabled=no add chain=manage-icmp protocol=icmp icmp-options=3:0 action=accept comment="# Accept notifications of unreachable hosts" disabled=no add chain=manage-icmp protocol=icmp icmp-options=4:0 action=accept comment="# Accept notifications to reduce sending speed" disabled=no add chain=manage-icmp protocol=icmp icmp-options=11:0 action=accept comment="# Accept notifications of lost packets" disabled=no add chain=manage-icmp protocol=icmp icmp-options=12:0 action=accept comment="# Accept notifications of protocol problems" disabled=no add chain=manage-icmp protocol=icmp action=drop comment="Drop all other ICMP traffic" disabled=no
Traffic Marking
/ip firewall mangle add action=jump chain=prerouting comment="Jump to mark-traffic: MUST RETURN FROM THIS JUMP" disabled=no jump-target=mark-traffic add action=jump chain=output comment="Jump to mark-traffic: MUST RETURN FROM THIS JUMP" disabled=no jump-target=mark-traffic packet-mark=no-mark add action=mark-packet chain=mark-traffic comment="mark-traffic: default mark bulk" disabled=no new-packet-mark=bulk passthrough=yes add action=mark-packet chain=mark-traffic comment="mark-traffic: voice" disabled=no dst-address-list=voice-servers new-packet-mark=voice passthrough=yes add action=return chain=mark-traffic comment="" disabled=no packet-mark=voice add action=return chain=mark-traffic comment="mark-traffic: end of chain return" disabled=no
Basic voice queue
/queue type add kind=sfq name=qos sfq-allot=1514 sfq-perturb=5 /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan1-root packet-mark="" parent=ether1 priority=8 queue=qos add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan1-bulk packet-mark=bulk,no-mark parent=queue-wan1-root priority=8 queue=qos add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan1-voice packet-mark=voice parent=queue-wan1-root priority=1 queue=qos add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan1-priority-data packet-mark=priority-data parent=queue-wan1-root priority=7 queue=qos /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan2-root packet-mark="" parent=ether2 priority=8 queue=qos add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan2-bulk packet-mark=bulk,no-mark parent=queue-wan2-root priority=8 queue=qos add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan2-voice packet-mark=voice parent=queue-wan2-root priority=1 queue=qos add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=queue-wan2-priority-data packet-mark=priority-data parent=queue-wan2-root priority=7 queue=qos
Enable/Disable Services
/ ip service set telnet port=23 address=0.0.0.0/0 disabled=no set ftp port=21 address=0.0.0.0/0 disabled=yes set www port=80 address=0.0.0.0/0 disabled=yes set ssh port=22 address=0.0.0.0/0 disabled=no set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
Enable/Disable Service Ports
/ ip firewall service-port set ftp ports=21 disabled=no set tftp ports=69 disabled=no set irc ports=6667 disabled=no set h323 disabled=yes set quake3 disabled=no set gre disabled=no set pptp disabled=no
Initial SNMP configuration
This simply turns on SNMP and sets the public community to only be access from localhost, which renders it useless.
Add your own community entry to make use of SNMP, but I recommend not deleting the public entry. This is due to an issue in the Mikrotik export function for SNMP.
/snmp
set contact="" enabled=yes engine-boots=0 engine-id="" location="" \
time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=127.0.0.1/32 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
For v5:
/snmp
set contact="" enabled=yes engine-id="" location="" trap-community=public \
trap-target=0.0.0.0 trap-version=1
/snmp community
set public address=127.0.0.1/32 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=DES \
name=public read-access=yes security=none write-access=no
add address=0.0.0.0/0 authentication-password="" authentication-protocol=MD5 \
encryption-password="" encryption-protocol=DES name=localmon read-access=\
yes security=none write-access=no
/snmp
set contact="" enabled=yes engine-id="" location="" trap-community=public \
trap-target=0.0.0.0 trap-version=1
Protecting your LAN
/ip firewall filter add chain=protect-lan connection-state=invalid action=drop comment="Drop invalid packets" disabled=no add chain=protect-lan connection-state=established action=accept comment="Allow established traffic to pass" disabled=no add chain=protect-lan connection-state=related action=accept comment="Allow related traffic to pass" disabled=no add chain=protect-lan action=drop comment="Drop everything else" disabled=no
Private IP Subnet address lists
/ip firewall address-list add address=10.0.0.0/8 comment="private 10.0.0.0/255.0.0.0" disabled=no list=private-ip-subnets add address=172.16.0.0/12 comment="private 172.16.0.0/255.240.0.0" disabled=no list=private-ip-subnets add address=192.168.0.0/16 comment="private 192.168.0.0/255.255.0.0" disabled=no list=private-ip-subnets
Dealing with SPAM from inside
These rules will allow outbound smtp from valid internal addresses, block it from ip's that we think are compromised, and track connections to determine if we think an ip is compromised.
/ip firewall filter
add action=drop chain=filter-smtp comment="SPAM: Block SMTP from blacklist static list" disabled=no \
src-address-list=smtp-possible-spammers-static
add action=add-src-to-address-list address-list=smtp-possible-spammers address-list-timeout=9m \
chain=filter-smtp comment=\
"SPAM: Test outbound connections for connection limit for whitelisted limit" connection-limit=\
10,32 disabled=no dst-port=25 protocol=tcp src-address-list=smtp-allowed-outbound
add action=add-src-to-address-list address-list=smtp-possible-spammers address-list-timeout=9m \
chain=filter-smtp comment="SPAM: Test outbound connections for connection limit" \
connection-limit=2,32 disabled=no dst-port=25 protocol=tcp src-address-list=\
!smtp-allowed-outbound
add action=log chain=filter-smtp comment="SPAM: Log SMTP from blacklist" disabled=no log-prefix=\
possible-spammer src-address-list=smtp-possible-spammers
add action=drop chain=filter-smtp comment="SPAM: Block SMTP from blacklist" disabled=no \
src-address-list=smtp-possible-spammers
add action=return chain=filter-smtp comment="SPAM: Good packet... return" disabled=no
Once this is done, we need to be notified somehow. This is done with a script that runs every X minutes. The script sends a single email for each address listed. Add addresses to the smtp-possible-spammers list for 10 minutes (or more) and run this scripts every 5 minutes.
:local spamadmin notify@bignetworks.com
:local count 0
:local message ""
:local tmp
:foreach i in=[/ip firewall address-list find list=smtp-possible-spammers] \
do={ \
:set count ($count + 1)
:set tmp ([/ip firewall address-list get $i address])
:set message ($message . $tmp . "\r\n")
:log warning ("possible spammfer found at " . $tmp)
}
:if ($count > 0) \
do={ \
:log info "watch-for-spammers sending notification"
/tool e-mail send \
to=$spamadmin \
subject=([/system identity get name] . ": $count possible spammers found") \
body=$message
}
Paste the following in a terminal to create the above script:
/system script
add name=watch-for-spammers source=":local spamadmin notify@bignetworks.com\r\
\n\r\
\n:local count 0\r\
\n:local message \"\"\r\
\n:local tmp\r\
\n\r\
\n:foreach i in=[/ip firewall address-list find list=smtp-possible-spammer\
s] \\\r\
\ndo={ \\\r\
\n:set count (\$count + 1)\r\
\n:set tmp ([/ip firewall address-list get \$i address])\r\
\n:set message (\$message . \$tmp . \"\\r\\n\")\r\
\n:log warning (\"possible spammfer found at \" . \$tmp)\r\
\n}\r\
\n\r\
\n:if (\$count > 0) \\\r\
\ndo={ \\\r\
\n:log info \"watch-for-spammers sending notification\"\r\
\n/tool e-mail send \\\r\
\n to=\$spamadmin \\\r\
\n subject=([/system identity get name] . \": \$count possible spammer\
s found\") \\\r\
\n body=\$message\r\
\n}\r\
\n"
This is the line to add the scheduled task.
/system scheduler
add comment="" disabled=no interval=5m name="check-spammer-list" on-event="/system script run watch-for-spammers" \
start-date=jan/01/1970 start-time=00:00:00
An alternate method is to allow outbound SMTP only from a specified list of IP's. The rules below allow outbound SMTP from addresses on the list smtp-allowed-outbound, and logs all other tries to smtp-possible-spammers followed by the drop.
/ ip firewall filter
add chain=lan-forward-out action=accept dst-port=25 protocol=tcp \
src-address-list=smtp-allowed-outbound comment="SPAM: Allow traffic from \
whitelist" disabled=no
add chain=lan-forward-out action=add-src-to-address-list dst-port=25 \
protocol=tcp address-list=smtp-possible-spammers address-list-timeout=0s \
comment="Log all other outbound SMTP" disabled=no
add chain=lan-forward-out action=drop dst-port=25 protocol=tcp comment="Drop \
all other outbound SMTP" disabled=no
Scripting
# list addresses in visisted-mailserver address-list
/ip firewall address-list
:foreach i in [find list=visited-mailservers ] do={:put [get $i address]}
Automated Backups
Make sure you change the smtpserver value to a valid SMTP server for your Internet connection.
:log info "backup Beginning now"
:local toaddress systembackup@bignetworks.com
:global subject ([/system identity get name] . " Backup " . [/system clock get time])
:log info "backup Backing up config"
/export file=backup
:log info "backup pausing for 3s"
:delay 3s
:log info "backup being emailed"
/tool e-mail send to=$toaddress subject=$subject file=backup.rsc
:log info "backup finished"
Paste the following in a terminal to create the above script:
/system script
add name=backup-router policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
:log info \"backup Beginning now\"\r\
\n:local toaddress systembackup@bignetworks.com\r\
\n\r\
\n:global subject ([/system identity get name] . \" Backup \" . [/system c\
lock get time])\r\
\n\r\
\n:log info \"backup Backing up config\"\r\
\n/export file=backup\r\
\n\r\
\n:log info \"backup pausing for 3s\"\r\
\n:delay 3s\r\
\n\r\
\n:log info \"backup being emailed\"\r\
\n/tool e-mail send to=\$toaddress subject=\$subject file=backup.rsc\r\
\n\r\
\n:log info \"backup finished\"\r\
\n"
If you want the router to automatically email you the backup on an interval use the following script:
/system scheduler
add disabled=no interval=1w name=backup-router-weekly on-event="/system script run backup-router \r\n"\
start-date=jan/01/2012 start-time=01:00:00
Netwatching
This will send an email on up and down:
/tool netwatch add comment="some-device" disabled=no \ down-script="/tool e-mail send to=email@domain.com subject=\"some-device down\"" \ up-script="/tool e-mail send to=email@domain.com subject=\"some-device up\"" \ host=1.1.1.1
This will add an entry to the log on up and down:
/tool netwatch
add comment="some-device" disabled=no \
down-script="/log warning message=\"some-device down\"" \
up-script="/log warning message=\"some-device up\"" \
host=1.1.1.1 interval=10s timeout=1s
Clearing the arp cache
The following script will clear the arp cache every $delaytime a total of $numloops times.
:log info "clearing arp table of dynamic entries"
:local counter 0
:local delaytime 5
:local numloops 12
:while ($counter < $numloops) do={ \
:log info "clearing arp loop"
:foreach i in=[/ip arp find dynamic=yes] do={ \
/ip arp remove $i
}
:log info "delaying..."
:delay $delaytime
}
Upgrade timing
RouterBoard 150 RouterOS 2.9.46, BIOS 2.9 -> RouterOS 2.9.51: 2m45s RouterOS 2.9.51, BIOS 2.9 -> BIOS 2.12: 30s RouterOS 2.9.51, BIOS 2.12 -> RouterOS 3.9: 2m5s RouterOS 2.9.51, BIOS 2.12 -> RouterOS 3.9: 2m0s RouterOS 3.9, BIOS 2.12 -> BIOS 2.14: 28s RouterOS 3.9, BIOS 2.12 -> BIOS 2.14: 28s
OSPF Route Filtering
/routing filter add action=discard chain=ospf-private-only-out comment="ptp vpn tunnels" disabled=no invert-match=no prefix=10.74.0.0/16 prefix-length=16-32 add action=discard chain=ospf-private-only-out comment="access to local dsl modem web management" disabled=no invert-match=no prefix=192.168.1.0/24 add action=accept chain=ospf-private-only-out comment="" disabled=no invert-match=no prefix=10.0.0.0/8 prefix-length=8-32 add action=accept chain=ospf-private-only-out comment="" disabled=no invert-match=no prefix=172.16.0.0/12 prefix-length=12-32 add action=accept chain=ospf-private-only-out comment="" disabled=no invert-match=no prefix=192.168.0.0/16 prefix-length=16-32 add action=discard chain=ospf-private-only-out comment="" disabled=no invert-match=no add action=discard chain=ospf-private-only-in comment="" disabled=no invert-match=no prefix=10.74.0.0/16 prefix-length=16-32 add action=accept chain=ospf-private-only-in comment="" disabled=no invert-match=no prefix=10.0.0.0/8 prefix-length=8-32 add action=accept chain=ospf-private-only-in comment="" disabled=no invert-match=no prefix=172.16.0.0/12 prefix-length=12-32 add action=accept chain=ospf-private-only-in comment="" disabled=no invert-match=no prefix=192.168.0.0/16 prefix-length=16-32 add action=discard chain=ospf-private-only-in comment="" disabled=no invert-match=no
Hotspot and Apple IOS
http://forum.mikrotik.com/viewtopic.php?f=2&t=42942
/ip hotspot profile set hsprof1 dns-name="" /ip hotspot walled-garden add action=allow comment="" disabled=no dst-host=www.apple.com path=/library/test/success.html
Send email with attached log on startup
/system scheduler
add comment="" disabled=no interval=0s name=startup-notify on-event="/log print file=mikrotik.log.txt\r\
\n/tool e-mail send to=notify@bignetworks.com subject=\"\$[/system identity get name] startup at \$[/system c\
lock get time] \$[/system clock get date]\" body=\"See attached log file\" file=mikrotik.log.txt\r\
\n" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive start-time=startup
Private use MAC addresses
The following range of MAC Addresses are reserved for private use:
AC:DE:48:00:00:00 to AC:DE:48:FF:FF:FF
When creating bridge interfaces on the Mikrotik router, create an admin MAC address using this range. I pull the last three octets from an actual device on the router.
Pantech UML290
What makes it work is the phone number: *99***3#
/interface ppp-client
add add-default-route=yes allow=pap,chap,mschap1,mschap2 data-channel=0 \
dial-command=ATDT dial-on-demand=no disabled=no info-channel=0 \
keepalive-timeout=30 max-mru=1500 max-mtu=1500 modem-init="" mrru=disabled \
name=ppp-out1 null-modem=no password="" phone=*99***3# pin="" port=usb2 \
profile=default use-peer-dns=yes user=""
IPSEC/IPIP/MSS Mangling
/ip firewall mangle
add action=jump chain=forward disabled=no jump-target=ipip-ipsec-mss-mangle in-interface=ipip
add action=jump chain=forward disabled=no jump-target=ipip-ipsec-mss-mangle out-interface=ipip
add action=jump chain=ipip-ipsec-mss-mangle disabled=no jump-target=mss-max-1300
add action=change-mss chain=mss-max-1300 disabled=no new-mss=1300 protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=mss-max-1400 disabled=no new-mss=1400 protocol=tcp tcp-flags=syn tcp-mss=1401-65535
DNS Changer IP Subnets
/ip firewall address-list add address=85.255.112.0/20 disabled=no list=DNSchanger add address=67.210.0.0/20 disabled=no list=DNSchanger add address=93.188.160.0/21 disabled=no list=DNSchanger add address=77.67.83.0/24 disabled=no list=DNSchanger add address=213.109.64.0/20 disabled=no list=DNSchanger add address=64.28.176.0/20 disabled=no list=DNSchanger
