<WRAP info>Routers [[https://mikrotik.com/|MikroTik]] offer professional solutions at affordable prices, ideal for personal use. Whether you're looking for routers, switches or Wi-Fi access points, they all work under the same roof. [[https://mikrotik.com/software|RouterOS]]. Whatever the device, each model can fulfil the roles of router, firewall and witch. You can start with a model like the [[https://mikrotik.com/product/RB750r2|hEX lite]], available for around **40€**.
 
You can also test RouterOS on a virtual [[https://mikrotik.com/software|machine virtual]] for 24 hours

I've also created a project that lets you test Mikrotik router configurations in docker images. [[https://github.com/badele/network-lab|Voir the project page]]</WRAP>

====== Features ======

MikroTik routers offer the following features:

  * **Network :**
    * [[https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching|Bridge]]
    * [[https://help.mikrotik.com/docs/spaces/ROS/pages/88014957/VLAN|VLAN]]
    * QoS([[https://help.mikrotik.com/docs/spaces/ROS/pages/11993091/QoS+with+Switch+Chip|Hardware]] / Software)
    * DHCP server
    * Switching ([[https://help.mikrotik.com/docs/spaces/ROS/pages/21725254/Spanning+Tree+Protocol#SpanningTreeProtocol-STPandRSTP|STP, RSTP]])
  * **Routing :**
    * Static and dynamic routing ([[https://fr.wikipedia.org/wiki/Open_Shortest_Path_First|OSPF]], [[https://fr.wikipedia.org/wiki/Border_Gateway_Protocol|BGP]], [[https://fr.wikipedia.org/wiki/Routing_Information_Protocol|RIP]], [[https://fr.wikipedia.org/wiki/Multiprotocol_Label_Switching|MPLS]])
    * [[https://help.mikrotik.com/docs/spaces/ROS/pages/4390920/Load+Balancing|Load Balancing]]
    * [[https://help.mikrotik.com/docs/spaces/ROS/pages/26476608/Failover+WAN+Backup|Failover]]
  * **Security :**
    * Firewall ([[https://help.mikrotik.com/docs/spaces/ROS/pages/28606504/DDoS+Protection|Protection DDoS]], [[https://help.mikrotik.com/docs/spaces/ROS/pages/154042369/Port+knocking|Port knocking]])
    * VPN ([[https://help.mikrotik.com/docs/spaces/ROS/pages/11993097/IPsec|IPsec]], [[https://help.mikrotik.com/docs/spaces/ROS/pages/2031655/OpenVPN|OpenVPN]], [[https://help.mikrotik.com/docs/spaces/ROS/pages/2031645/SSTP|SSTP]], [[https://help.mikrotik.com/docs/spaces/ROS/pages/69664792/WireGuard|WireGuard]])
  * **Wi-Fi :**
    * ([[https://help.mikrotik.com/docs/spaces/ROS/pages/1409149/AP+Controller+CAPsMAN|AP Controller]], [[https://help.mikrotik.com/docs/spaces/ROS/pages/56459266/HotSpot+-+Captive+portal|Hotspot]])

For more information, see the [[https://help.mikrotik.com/docs/spaces/ROS/pages/19136707/Software+Specifications|documentation</ignore><ignore>]] .

====== Features in detail ======

===== Safe Mode =====

<note important>The **Safe Mode** protects against configuration errors that could lead to loss of access.
</WRAP>

From the command line, press **''%%CTRL-x%%''** to activate this mode, identified by the indication **''%%%%''** in the prompt.

**How does it work?**

In Safe Mode, the router periodically tests the connectivity between itself and the administrator's SSH session. If a loss of connection is detected, it restores the previous configuration.

To save your changes while remaining connected, deactivate Safe Mode by pressing **''%%CTRL-x%% again''**.

===== Firewall =====

MikroTik routers incorporate two types of firewall: Layer 2 and Layer 3.

==== Layer 3 example ====

<code bash>
/ip/firewall/filter
# Input
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=BAN

# Forward
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

# Masquerade
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN
</code>

===== VLAN =====

VLANs can be used to isolate several network flows within the same bridge. This makes it possible, for example, to separate traffic between the LAN and a DMZ without any interaction between them. Here are two important concepts:

  * **Tagged (trunk)** Adding a VLAN number to the Ethernet header of the IP packet, for compatible devices. (<ignore>[[https://fr.wikipedia.org/wiki/IEEE_802.1Q|</ignore>802.1Q]]).
  * **Untagged** Removal of the VLAN number to make the packet accessible to standard devices.

==== Example ====

The following example configures two VLANs: **LAN (2)** and **DMZ (3)**. All ports are dedicated to the LAN, except :

  * ''%%ether10%%'' for the DMZ.
  * ''%%ether2%%''used as a tagged trunk to transport LAN and DMZ flows.

<code bash>
# Désactiver temporairement le filtrage VLAN
/interface/bridge
set [find where name="bridge"] vlan-filtering=no

# Associer tous les ports au VLAN-LAN (PVID 2)
/interface/bridge/port
set [find] pvid=2

# Associer ether10 au VLAN-DMZ (PVID 3)
set [find where interface=ether10] pvid=3

# Configurer le trunk (ether2)
/interface/bridge/vlan
add bridge=bridge comment=eth2-lan tagged=ether2,bridge vlan-ids=2
add bridge=bridge comment=eth2-dmz tagged=ether2,bridge vlan-ids=3

# Créer les interfaces VLAN
/interface/vlan
add interface=bridge name=vlan-lan vlan-id=2
add interface=bridge name=vlan-dmz vlan-id=3

# Adressage IP
/ip/address
add address=192.168.2.254/24 interface=vlan-lan
add address=192.168.3.254/24 interface=vlan-dmz

# Configurer les pools DHCP
/ip/pool
add name=dhcp-lan ranges=192.168.2.128/25
add name=dhcp-dmz ranges=192.168.3.128/25

# Ajouter les serveurs DHCP
/ip/dhcp-server
add address-pool=dhcp-lan interface=vlan-lan
add address-pool=dhcp-dmz interface=vlan-dmz
</code>

=== Application of the configuration ===

To preserve all the previous configuration (still in ''%%%%''), I resort to safe mode by pressing the keys **CTRL-x**.

I can now activate the **VLAN filtering**by executing the following commands (remembering to enable save mode):


# Note: Press [CTRL-x] In the terminal prompt, after the prompt line, you must see text

# Enable vlan filtering
/interface/bridge
set [find where name="bridge"] ] vlan-filtering=yes

===== Practical tools =====

==== Logs ====

View logs in real time :


''%%/log/print follow%%''

Filter logs by keyword :


''%%/log/print where message~"BAN"%%''

<code>
14:33:48 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 80.75.212.9:50264->192.168.0.88:80, len 40
14:37:55 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 62.169.22.37:40244->192.168.0.88:80, len 40
15:13:31 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 194.50.16.198:57018->192.168.0.88:80, len 40
15:22:55 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 93.174.93.12:60000->192.168.0.88:80, len 40
</code>

==== Ping ====

Testing an IP address :


''%%/tool/ping address=8.8.8.8 count=5%%''

<code>
SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                   
  0 8.8.8.8                                    56 249 27ms336us 
  1 8.8.8.8                                    56 249 28ms654us 
  2 8.8.8.8                                    56 249 28ms473us 
  3 8.8.8.8                                    56 249 28ms657us 
  4 8.8.8.8                                    56 249 28ms434us
</code>

==== Sniffer ====

Capture network traffic on an interface :


''%%/tool/sniffer/quick duration=1%%''

<code>
INTERFACE  TIME   NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS                 DST-ADDRESS                 PROTOCOL  SIZE  CPU
ether2     0.904  668  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee   254  192.168.254.114:33842       142.251.37.234:443 (https)  ip:tcp     109    0
bridge     0.904  669  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee   254  192.168.254.114:33842       142.251.37.234:443 (https)  ip:tcp     109    0
vlan-lan   0.904  670  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        192.168.254.114:33842       142.251.37.234:443 (https)  ip:tcp     105    0
ether1     0.904  671  ->   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        192.168.88.22:33842         142.251.37.234:443 (https)  ip:tcp     105    0
ether1     0.919  672  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        140.82.121.3                192.168.88.22               ip:icmp     98    0
vlan-lan   0.919  673  ->   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        140.82.121.3                192.168.254.100             ip:icmp     98    0
bridge     0.919  674  ->   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee   254  140.82.121.3                192.168.254.100             ip:icmp    102    0
</code>

==== Torch ====

Analyse live network flows:


''%%/tool/torch interface=ether1 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 ip-protocol=any mac-protocol=any%%%''

<code>
MAC-PROTOCOL  IP-PROTOCOL  SRC-ADDRESS     DST-ADDRESS   TX        RX         TX-PACKETS  RX-PACKETS
ip            icmp         140.82.121.3    192.168.88.22  784bps    784bps              1           1
ip            icmp         142.251.37.227  192.168.88.22  784bps    784bps              1           1
ip            icmp         192.168.0.1     192.168.88.22  41.9kbps  41.9kbps            5           5
ip            tcp          18.197.249.189  192.168.88.22  1488bps   976bps              2           1
ip            tcp          45.45.148.7     192.168.88.22  1248bps   1728bps             2           3
ip            tcp          71.18.255.144   192.168.88.22  17.6kbps  51.3kbps            9          11
</code>
==== System Resources ====

Displaying router resources :


''%%/system/resource print%%''

<code>
                 uptime: 1d23h10m42s
                version: 7.14.1 (stable)
             build-time: 2024-03-08 12:50:23
       factory-software: 6.44.6
            free-memory: 906.9MiB
           total-memory: 1024.0MiB
                    cpu: ARM
              cpu-count: 4
          cpu-frequency: 533MHz
               cpu-load: 0%
         free-hdd-space: 418.5MiB
        total-hdd-space: 512.0MiB
write-sect-since-reboot: 140623
       write-sect-total: 1569203
             bad-blocks: 0%
      architecture-name: arm
             board-name: RB4011iGS+5HacQ2HnD
               platform: MikroTik
</code>

==== Updating Packages ====

Display and update package versions:


''%%/system package update check-for-updates%%''

<code>
          channel: stable
installed-version: 7.14.1
   latest-version: 7.16.2
           status: New version is available
</code>

Installing the update :


''%%/system package update install%%''

==== RouterOS update ====

Display RouterOS version and update :


''%%/system routerboard print%%''

<code>
     routerboard: yes
           model: RB4011iGS+5HacQ2HnD
        revision: r2
   serial-number: D43B0C96671D
   serial-number: DXXXXXXXXXXX
   firmware-type: al2
factory-firmware: 6.45.9
current-firmware: 6.45.9
upgrade-firmware: 7.16.2
</code>

Update and restart :

<code bash>
/system routerboard upgrade 
/system reboot
</code>


====== Sources ======

  * Website
    * [[https://fr.wikipedia.org|fr.wikipedia.org]]
    * [[https://help.mikrotik.com|help.mikrotik.com]]
    * [[https://mikrotik.com|mikrotik.com]]
  * [[en:CharteIA]]
    * openai
      * Rephrasing sentences
      * Correction of spelling mistakes