MikroTik

Hi all

Kindly refer to this:



As you can see I wish to configure the 450g to act as a firewall and also I wish to make it a VPN server. How can I configure it in this manner and to be as secure as possible?

Thanks for your help!

I do not see any problems to use RouterBOARD for VPN server, just choose one of the supported servers,
http://wiki.mikrotik.com/wiki/Category:Manual (<---- Look for VPN chapter).

Use /ip firewall filter for the firewall.
Firewall configuration depends on the way, you want to secure the router.
Use chain=input to secure access to it,
- allow only IP address you will use for router management;
- allow VPN client address and used port/protocol;
- drop everything else.

I do not see any problems to use RouterBOARD for VPN server, just choose one of the supported servers,
http://wiki.mikrotik.com/wiki/Category:Manual (<---- Look for VPN chapter).

Use /ip firewall filter for the firewall.
Firewall configuration depends on the way, you want to secure the router.
Use chain=input to secure access to it,
- allow only IP address you will use for router management;
- allow VPN client address and used port/protocol;
- drop everything else.

isnt there a simpler setup? like with WINBOX? i am kinda new to this stuff

All the console commands are just the same as Winbox commands.
The same sequence is used, look at the console command and reproduce them in Winbox (it should be quite much the same).

ok guys i ll give it a try. thanks

Hi all. Been trying to configure the 450g but I cant find some settings. Can someone tell me how to find these:

- enable IPSEC
- enable L2TP over IPSEC
- enable PPTP
- create VPN users
- allow ping from WWW
- configure virtual server (port forward)
- NAT configuration
- setup default route

Thanks

For 1-4:
What packages do you have installed on the 450?
Refer to this Wiki page to know what you need:
http://wiki.mikrotik.com/wiki/Manual:System/Packages
Most of enabling IPSec/PPTP are done under the PPP menu. Read the Wiki for examples for what situation that you want to duplicate and adjust for your situation.

For 5:
ICMP is allowed by default on the MikroTik, you have to explicitly filter out that for it to not work. These are not like dumb Linksys routers that assume a lot of things, and keep a ton of things hidden. You are expected with a MikroTik to set up your own security and filters. Read up on the firewall and securing your router in the Wiki for examples of how to do this.

For 6 and 7:
Port forwarding and nat rules are done in /firewall nat.
For port forwarding set up what you need on chain dstnat with action dst-nat.
For other NAT settings we would need to know what you are trying to do specifically, but once again, most of the information you need is contained in the Wiki, find something similar to what you want to do and read up on that.

For 8:
This is done in /ip route

thanks

Hi all

Since my last post I manage to configure the router. Only problem left now is that I cannot connect to it from a remote location via VPN. Funny thing is that I can connect via the PPTP service when on the same network though...

scenario:

LAPTOP ---- LAN ---- MIKROTIK ---- WAN (in this way I can connect with a VPN connection without problems)

LAPTOP ---- ROUTER ---- MODEM ----- WWW ---- MIKROTIK (I am able to ping ETH1 but cant establish PPTP conn)

Pls help thanks

What kind of VPN are you trying to use?

If it's L2TP/IPSec, Mikrotik doesn't like it when you are behind a NAT router, I think it has something to do with the way it handles the NAT helper. If you are on a real public IP, does it work?

If you are using PPTP, can you do an export of your ppp settings so we can see the config? Don't forget to anonymize the data.

Hi all! One FINAL tweak left.

I managed to connect from another location to the VPN server I have setup. In fact I was in a different country and it did LOG in! Only problem is that I couldn't ping internal machines when I connected to the VPN! What might I be missing here?

Topology:


IP Scheme (note colors - same color means same value)

ANY HELP PLS?

I am connecting via VPN but cant ping internal hosts!

enable Proxy-ARP?..

I enabled proxy-arp but still no luck - can't ping internal hosts...

See this:




Any other ideas?

Finally I managed to find the solution. Just enabled proxy-arp on the BRIDGE interface!

Thanks