Ceci est une ancienne révision du document !
You can also test RouterOS on a virtual machine virtual for 24 hours
I've also created a project that lets you test Mikrotik router configurations in docker images. Voir the project page
Features
MikroTik routers offer the following features:
- Network :
- DHCP server
- Switching (STP, RSTP)
- Routing :
- Security :
- Firewall (Protection DDoS, Port knocking)
- Wi-Fi :
For more information, see the documentation</ignore><ignore> .
Features in detail
Safe Mode
From the command line, press CTRL-x to activate this mode, identified by the indication in the prompt.
How does it work?
In Safe Mode, the router periodically tests the connectivity between itself and the administrator's SSH session. If a loss of connection is detected, it restores the previous configuration.
To save your changes while remaining connected, deactivate Safe Mode by pressing CTRL-x again.
Firewall
MikroTik routers incorporate two types of firewall: Layer 2 and Layer 3.
Layer 3 example
/ip/firewall/filter
# Input
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=BAN
# Forward
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
# Masquerade
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN
VLAN
VLANs can be used to isolate several network flows within the same bridge. This makes it possible, for example, to separate traffic between the LAN and a DMZ without any interaction between them. Here are two important concepts:
- Tagged (trunk) Adding a VLAN number to the Ethernet header of the IP packet, for compatible devices. (<ignore></ignore>802.1Q).
- Untagged Removal of the VLAN number to make the packet accessible to standard devices.
Example
The following example configures two VLANs: LAN (2) and DMZ (3). All ports are dedicated to the LAN, except :
ether10for the DMZ.ether2used as a tagged trunk to transport LAN and DMZ flows.
# Désactiver temporairement le filtrage VLAN
/interface/bridge
set [find where name="bridge"] vlan-filtering=no
# Associer tous les ports au VLAN-LAN (PVID 2)
/interface/bridge/port
set [find] pvid=2
# Associer ether10 au VLAN-DMZ (PVID 3)
set [find where interface=ether10] pvid=3
# Configurer le trunk (ether2)
/interface/bridge/vlan
add bridge=bridge comment=eth2-lan tagged=ether2,bridge vlan-ids=2
add bridge=bridge comment=eth2-dmz tagged=ether2,bridge vlan-ids=3
# Créer les interfaces VLAN
/interface/vlan
add interface=bridge name=vlan-lan vlan-id=2
add interface=bridge name=vlan-dmz vlan-id=3
# Adressage IP
/ip/address
add address=192.168.2.254/24 interface=vlan-lan
add address=192.168.3.254/24 interface=vlan-dmz
# Configurer les pools DHCP
/ip/pool
add name=dhcp-lan ranges=192.168.2.128/25
add name=dhcp-dmz ranges=192.168.3.128/25
# Ajouter les serveurs DHCP
/ip/dhcp-server
add address-pool=dhcp-lan interface=vlan-lan
add address-pool=dhcp-dmz interface=vlan-dmz
Application of the configuration
To preserve all the previous configuration (still in ), I resort to safe mode by pressing the keys CTRL-x.
I can now activate the VLAN filteringby executing the following commands (remembering to enable save mode):
# Note: Press [CTRL-x] In the terminal prompt, after the prompt line, you must see text
# Enable vlan filtering /interface/bridge set [find where name=“bridge”] ] vlan-filtering=yes
Practical tools
Logs
View logs in real time :
/log/print follow
Filter logs by keyword :
/log/print where message~"BAN"
14:33:48 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 80.75.212.9:50264->192.168.0.88:80, len 40
14:37:55 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 62.169.22.37:40244->192.168.0.88:80, len 40
15:13:31 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 194.50.16.198:57018->192.168.0.88:80, len 40
15:22:55 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 93.174.93.12:60000->192.168.0.88:80, len 40
Ping
Testing an IP address :
/tool/ping address=8.8.8.8 count=5
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 249 27ms336us
1 8.8.8.8 56 249 28ms654us
2 8.8.8.8 56 249 28ms473us
3 8.8.8.8 56 249 28ms657us
4 8.8.8.8 56 249 28ms434us
Sniffer
Capture network traffic on an interface :
/tool/sniffer/quick duration=1
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
ether2 0.904 668 <- aa:bb:cc:dd:dd:ee aa:bb:cc:dd:dd:ee 254 192.168.254.114:33842 142.251.37.234:443 (https) ip:tcp 109 0
bridge 0.904 669 <- aa:bb:cc:dd:dd:ee aa:bb:cc:dd:dd:ee 254 192.168.254.114:33842 142.251.37.234:443 (https) ip:tcp 109 0
vlan-lan 0.904 670 <- aa:bb:cc:dd:dd:ee aa:bb:cc:dd:dd:ee 192.168.254.114:33842 142.251.37.234:443 (https) ip:tcp 105 0
ether1 0.904 671 -> aa:bb:cc:dd:dd:ee aa:bb:cc:dd:dd:ee 192.168.88.22:33842 142.251.37.234:443 (https) ip:tcp 105 0
ether1 0.919 672 <- aa:bb:cc:dd:dd:ee aa:bb:cc:dd:dd:ee 140.82.121.3 192.168.88.22 ip:icmp 98 0
vlan-lan 0.919 673 -> aa:bb:cc:dd:dd:ee aa:bb:cc:dd:dd:ee 140.82.121.3 192.168.254.100 ip:icmp 98 0
bridge 0.919 674 -> aa:bb:cc:dd:dd:ee aa:bb:cc:dd:dd:ee 254 140.82.121.3 192.168.254.100 ip:icmp 102 0
Torch
Analyse live network flows:
/tool/torch interface=ether1 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 ip-protocol=any mac-protocol=any%
MAC-PROTOCOL IP-PROTOCOL SRC-ADDRESS DST-ADDRESS TX RX TX-PACKETS RX-PACKETS
ip icmp 140.82.121.3 192.168.88.22 784bps 784bps 1 1
ip icmp 142.251.37.227 192.168.88.22 784bps 784bps 1 1
ip icmp 192.168.0.1 192.168.88.22 41.9kbps 41.9kbps 5 5
ip tcp 18.197.249.189 192.168.88.22 1488bps 976bps 2 1
ip tcp 45.45.148.7 192.168.88.22 1248bps 1728bps 2 3
ip tcp 71.18.255.144 192.168.88.22 17.6kbps 51.3kbps 9 11
System Resources
Displaying router resources :
/system/resource print
uptime: 1d23h10m42s
version: 7.14.1 (stable)
build-time: 2024-03-08 12:50:23
factory-software: 6.44.6
free-memory: 906.9MiB
total-memory: 1024.0MiB
cpu: ARM
cpu-count: 4
cpu-frequency: 533MHz
cpu-load: 0%
free-hdd-space: 418.5MiB
total-hdd-space: 512.0MiB
write-sect-since-reboot: 140623
write-sect-total: 1569203
bad-blocks: 0%
architecture-name: arm
board-name: RB4011iGS+5HacQ2HnD
platform: MikroTik
Updating Packages
Display and update package versions:
/system package update check-for-updates
channel: stable
installed-version: 7.14.1
latest-version: 7.16.2
status: New version is available
Installing the update :
/system package update install
RouterOS update
Display RouterOS version and update :
/system routerboard print
routerboard: yes
model: RB4011iGS+5HacQ2HnD
revision: r2
serial-number: D43B0C96671D
serial-number: DXXXXXXXXXXX
firmware-type: al2
factory-firmware: 6.45.9
current-firmware: 6.45.9
upgrade-firmware: 7.16.2
Update and restart :
/system routerboard upgrade
/system reboot
Sources
- Website
-
- openai
- Rephrasing sentences
- Correction of spelling mistakes
badele