I just setup RouterOS 5.0 RC7 on my x86 box with two NICs. The setup was easy enough; made ether1 a DHCP client for the WAN and ether2 a DHCP server and default gateway for the LAN. I've established Winbox connectivity, but I really have no idea where to go to get ether2 (my LAN) connected to ether1 (my WAN Internet connection). I can ping 8.8.8.8 via ether1 in Winbox. I could find nothing in the wiki to point me in the right direction post-setup.
Also, since I will require a level 4 license within the next 24 hours, I'm told I'll need the software ID and "device type". I located the software ID without issue, but I'm unable to determine my device type. Thoughts?
Thanks in advance!
Re: Standard router routes?
You probably need to configure NAT so that your privately addressed LAN network can get to the publicly addressed WAN network. Going on the sparse details you posted that would be along the lines of:
If that doesn't work, post the output of "/ip address print detail", "/ip route print detail", "/interface print", and "/ip firewall export" for specific help.
You can find your platform information via "/system resource print" - but it's going to be an x86 system.
Code: Select all
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masqueradeYou can find your platform information via "/system resource print" - but it's going to be an x86 system.
Re: Standard router routes?
Wonderful, that was the solution!
My final question implores your personal recommendation. I'd like to know what my next configuration steps are assuming this router will be used as a firewalled home router. Vague, I know, but any direction will be beneficial.
Thanks!
EDIT: Also, I'm finding that IPv6 has already been configured by default, though I did not initiate its configuration. Should addresses in IPv6 > Addresses be purged?
My final question implores your personal recommendation. I'd like to know what my next configuration steps are assuming this router will be used as a firewalled home router. Vague, I know, but any direction will be beneficial.
Thanks!
EDIT: Also, I'm finding that IPv6 has already been configured by default, though I did not initiate its configuration. Should addresses in IPv6 > Addresses be purged?
Re: Standard router routes?
Don't touch the addresses for IPv6. IPv6 uses something called stateless autoconfiguration where link local addresses are generated on every interface. If you don't need IPv6 you should rather go to "/system packages" and uninstall the IPv6 package. The IPv6 addresses you see start with fe80, which indicates they cannot be used outside of that link. You can keep them without any security implications. They are completely non-routable, more so than even private IPv4 addresses.
The wiki has very many firewall examples. Here is what I use for simple routers. It only allows LAN to WAN traffic, you'd have to punch holes for any services you want publicly available. The WAN interface is called 'outside', and not 'ether1', and LAN users cannot pass some traffic - such as NetBIOS - to the WAN. If there is more than one LAN interface the LAN networks are blocked from talking to one another. The address list is used to enumerate all networks that will have access to the router. The IP firewall filter wiki manual has all the details on what the rules mean, but feel free to ask for clarification.
The wiki has very many firewall examples. Here is what I use for simple routers. It only allows LAN to WAN traffic, you'd have to punch holes for any services you want publicly available. The WAN interface is called 'outside', and not 'ether1', and LAN users cannot pass some traffic - such as NetBIOS - to the WAN. If there is more than one LAN interface the LAN networks are blocked from talking to one another. The address list is used to enumerate all networks that will have access to the router. The IP firewall filter wiki manual has all the details on what the rules mean, but feel free to ask for clarification.
Code: Select all
/ip firewall address-list
add address=192.168.0.0/24 list=Administrative_Networks
/ip firewall filter
add action=accept chain=input comment="allow established" connection-state=established disabled=no
add action=accept chain=input comment="allow related" connection-state=related disabled=no
add action=drop chain=input comment="drop invalid" connection-state=invalid disabled=no
add action=accept chain=input comment="allow local service UDP ports from LAN" disabled=no dst-port=53,67,123 in-interface=!outside protocol=udp
add action=accept chain=input comment="allow local service TCP ports from LAN" disabled=no dst-port=53 in-interface=!outside protocol=tcp
add action=accept chain=input comment="allow rate-limited ICMP" disabled=no limit=20,20 protocol=icmp
add action=accept chain=input comment="allow everything from admin networks" disabled=no src-address-list=Administrative_Networks
add action=drop chain=input comment="drop everything else" disabled=no
add action=accept chain=forward comment="forward established traffic" connection-state=established disabled=no
add action=accept chain=forward comment="forward related traffic" connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid traffic" connection-state=invalid disabled=no
add action=drop chain=forward comment="drop undesired TCP" disabled=no dst-port=135-139,445,1434,4444 protocol=tcp
add action=drop chain=forward comment="drop undesired UDP" disabled=no dst-port=135-139,445,1434,4444 protocol=udp
add action=accept chain=forward comment="forward traffic from customer interfaces to WAN (all other networks cannot talk to one another)" disabled=no out-interface=outside
add action=drop chain=forward comment="drop everything else" disabled=no
Re: Standard router routes?
Got it. I'd love it if you could chime in on some tiny details to perfect my new router.
To begin, with regard to port forwarding, I read on the wiki that I just need to add a dstnat rule. Apparently a destination a WAN destination address is expected, but what value should I use if my ISP is uses DHCP addressing? Am I also required to create a firewall in addition to this?
There is one computer in the house that should be denied access to all addresses except one internal address during a certain time period on certain days. Would such a rule be added as a firewall rule or as a queue? How might such a rule be implemented?
When I configure IPv6 per the wiki, will those changes overwrite the default stateless values? In this configuration, it appears I encounter another example where a static WAN address is expected, though my ISP uses DHCP. Thoughts?
I notice that with my DHCP server, clients will be assigned unallocated addresses from the pool beginning with *.254 going backwards to *.100. Is there any way to configure my DHCP server to assign IP addresses starting at the beginning of the pool?
Thanks so much for your help thus far, I really appreciate it.
To begin, with regard to port forwarding, I read on the wiki that I just need to add a dstnat rule. Apparently a destination a WAN destination address is expected, but what value should I use if my ISP is uses DHCP addressing? Am I also required to create a firewall in addition to this?
There is one computer in the house that should be denied access to all addresses except one internal address during a certain time period on certain days. Would such a rule be added as a firewall rule or as a queue? How might such a rule be implemented?
When I configure IPv6 per the wiki, will those changes overwrite the default stateless values? In this configuration, it appears I encounter another example where a static WAN address is expected, though my ISP uses DHCP. Thoughts?
I notice that with my DHCP server, clients will be assigned unallocated addresses from the pool beginning with *.254 going backwards to *.100. Is there any way to configure my DHCP server to assign IP addresses starting at the beginning of the pool?
Thanks so much for your help thus far, I really appreciate it.
Re: Standard router routes?
You can replace the destination IP address with the following combination: "in-interface=ether1 dst-address-type=local" - which means "packets that are coming into ether1 (the WAN interface) and destined to an IP address implemented on a router interface". That's close enough, and will work.To begin, with regard to port forwarding, I read on the wiki that I just need to add a dstnat rule. Apparently a destination a WAN destination address is expected, but what value should I use if my ISP is uses DHCP addressing? Am I also required to create a firewall in addition to this?
First of all: the router cannot possibly keep a machine on a local network behind the router from talking to other machines on that same local network. TCP/IP hosts on a local network talk directly, only traffic destined to networks other than the local network will be forwarded to the host's default gateway (the router). With that caveat explained, that would be a firewall rule. Something along the lines of "/ip firewall filter add chain=forward src-address=192.168.0.1 action=drop", which would keep 1921.168.0.1 from passing any traffic through the router. It still could talk to that one internal address it needs access to, but would also have access to any other internal address as previously explained.There is one computer in the house that should be denied access to all addresses except one internal address during a certain time period on certain days. Would such a rule be added as a firewall rule or as a queue? How might such a rule be implemented?
I would suggest dropping IPv6 for now. Revisit it when you're familiar with IPv4.When I configure IPv6 per the wiki, will those changes overwrite the default stateless values? In this configuration, it appears I encounter another example where a static WAN address is expected, though my ISP uses DHCP. Thoughts?
No, you cannot change the order of assignment. Well. There is a really, really ugly hack where you chain 155 pools with one address each, but you shouldn't use really, really ugly hacks.I notice that with my DHCP server, clients will be assigned unallocated addresses from the pool beginning with *.254 going backwards to *.100. Is there any way to configure my DHCP server to assign IP addresses starting at the beginning of the pool?
Re: Standard router routes?
Thanks very much for your help. I'm very satisfied with my configuration. I look forward to implementing some unique and powerful enhancements to my new MikroTik router.