Basic Config + Multi-Site VPN

Greetings!

I've just discovered RouterOS and been toying with it for about 12 hours now. Seems like quite a nice project / platform. I'm hoping i can use it to deploy the scenario outlined below once i've become adequately experienced it. This info below is to detail my end-goal and not necessarily the problems i am facing RIGHT NOW. Questions are listed at the bottom.

I am attempting to create a multi-site VPN infrastructure to be used for offsite backup of client data. Currently i am configuring all of this in a LAB environment. I have not purchased any equipment yet however 100% will if i can learn the software adequately as i said.

SAMBA shares MUST be used for the data being backed up, thus VPN rather than something else. This is not part of my question

Below is a (simple / ugly) network diagram...

On the top left we have my companies internal infrastructure complete with a MicroTik acting as a router / VPN Server.
Top right we have the internet (THE CLOOOOOUUUUUUD!!!!!).
Below that, IPSec VPN links to each of my clients and their infrastructures. (Have more than 3!)

Each of my clients will have a MicroTik connected to my network via an IPSec Site2Site VPN.
Firewall rules will be in place to prevent my clients from seeing any of my internal systems or each other.
The goal is to have only my backup system visible to the clients network and NOTHING else.

Below are a few questions, Some of which have to do with the above, others are general about RouterOS.

Q1
I wish to DISABLE internal HTTP management of the MicroTik router at each client location. I have tried specifying an IP addr for it to listen on by going to IP > Services > www > entering an IP. This results in HTTP not working from ANY IP including the one i've specified. By default the field is empty or when enables has a 0.0.0.0/0 addr in it. When i specify the external IP of the router in this field using a /26 CIDR notation, the field goes red and isn't valid.

SO, More or less, How can i disable internal management via HTTP and only allow external / VPN / anything other than internal?

Q2
I have tried using a Firewall rule to achieve the above. This hasn't worked either...

Under Action i have selected REJECT and then ICMP Connection Reset.

Halp

Q3
Where can i find a step-by-step guide for general configuration? I've spent a long, long time reading through the online Manual. It does a fair job explaining things however often no examples or usage scenarios are given.

I'm looking for:

VPN (IPSec, OpenVPN)
NAT / Port Forwarding
General "how do i actually do stuff" guide.

Q4
It seems like RouterOS in general comes as completely BLANK. You must set up every little system manually. Nothing comes pre-configured. I've previously been using another open-source project called Untangle. It is quite a bit more user friendly however requires a full PC to run and, many features are paid which should be free. IPSec VPN for example.

RouterOS seems quite a bit more advanced in terms of features plus the hardware from what i hear is phenomenal, thus my desire to switch.

Is this how RouterOS is? You must set it up completely from the ground up with nothing preconfigured? If this is the case, can i export the config and deploy it to other routers in the future? (Thus saving a lot of time.)

Q5
I've seen the mention of scripting for this platform quite often. For such things as load balancing or WAN failover. Is this strictly the case with such features? There is nothing "bult in" to handle this?

I thank those who reply most sincerely. I very much hope to become an active, contributing member to this fantastic project!

Update for Q1

It turns out you need to you an address like 10.1.20.0/24; The network address then a CIDR notation.

When i add / remove the routers internal IP, this has the desired effect. YAY!!!

When i specify ONLY the external IP with the CIDR notation, i can’t load the page from an external network. Have tried multiple browsers from multiple IP’s

24.38.23.0/26 is similar to the actual IP / Network i’m on and what i’ve entered.

I’ll answer these in a different order.

Q3
Where can i find a step-by-step guide for general configuration? I’ve spent a long, long time reading through the online Manual. It does a fair job explaining things however often no examples or usage scenarios are given.

I’m looking for:

VPN (IPSec, OpenVPN)
NAT / Port Forwarding
General “how do i actually do stuff” guide.

On the wiki manual, I’m afraid. It’s a complex system because of all the things it can do, so the manual tends to be fairly complex. That just comes with the territory. That said, http://gregsowell.com/ has a lot of very good training videos for VPNs. NAT is covered adequately with examples in the official manual: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping. Generally the manual is very good.

Q1
I wish to DISABLE internal HTTP management of the MicroTik router at each client location. I have tried specifying an IP addr for it to listen on by going to IP > Services > www > entering an IP. This results in HTTP not working from ANY IP including the one i’ve specified. By default the field is empty or when enables has a 0.0.0.0/0 addr in it. When i specify the external IP of the router in this field using a /26 CIDR notation, the field goes red and isn’t valid.

SO, More or less, How can i disable internal management via HTTP and only allow external / VPN / anything other than internal?

Q2
I have tried using a Firewall rule to achieve the above. This hasn’t worked either…

The router always listens on all interfaces for all management services. The IP addresses specified under “/ip services” are the subnets allowed to connect to the router (the source address of a management packet is evaluated against the list). Setting this to the external subnet of the router’s WAN interface only makes sense if you want only hosts in that network to be able to administrate the router, which is unlikely to be true.

The best approach is to build a firewall address list of all IP subnets that are allowed to connect to the router for management purposes, and use an IP firewall to filter. I’m not sure why your approach with that didn’t work, it should have. You probably got some detail wrong.

/ip firewall address-list
add list=admin-networks address=1.1.1.0/24
add list=admin-networks address=2.2.2.0/24
/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 src-address-list=admin-networks action=accept
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

Q4
It seems like RouterOS in general comes as completely BLANK. You must set up every little system manually. Nothing comes pre-configured. I’ve previously been using another open-source project called Untangle. It is quite a bit more user friendly however requires a full PC to run and, many features are paid which should be free. IPSec VPN for example.

RouterOS seems quite a bit more advanced in terms of features plus the hardware from what i hear is phenomenal, thus my desire to switch.

Is this how RouterOS is? You must set it up completely from the ground up with nothing preconfigured? If this is the case, can i export the config and deploy it to other routers in the future? (Thus saving a lot of time.)

More or less. Most advanced routers do that. After all, there’s no telling what someone might do with them, since they cover so many possible deployment scenarios. You can most definitely shuttle configs around. Here is the manual for configuration management: http://wiki.mikrotik.com/wiki/Manual:Configuration_Management. You’re looking for “/export” coupled with some editing, and then either copying the resulting file to a new router and running “/import file=whatever”, or copying and pasting.

Q5
I’ve seen the mention of scripting for this platform quite often. For such things as load balancing or WAN failover. Is this strictly the case with such features? There is nothing “bult in” to handle this?

Load balancing does not require scripts. The most reliable load balancing scheme is PCC, which uses marking packets in connections with special marks that determine the route they take. See http://wiki.mikrotik.com/wiki/Manual:PCC and http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner). Failover is a trickier topic. Failover of course is built in - when an interface goes down, the route goes invalid, and another route can become active. However, there are many scenarios where this doesn’t work. Imagine a cable modem used for connectivity - if the coax run to the cable modem is cut that doesn’t affect the Ethernet connection between router and modem. So even though the path may be down the interface may be up. This also applies to metro Ethernet for business circuit delivery, including high end ones. You’re probably connecting to a telco CPE switch, so your interface is up - but the telco router behind that switch might be down. RouterOS lets you ping the gateway of that route to protect against this - but what if the next hop beyond your gateway is down? You can either use scripts to deal with this, or you can use a very elegant non-script solution described here: http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting

In general what you’re trying to do is very possible to implement with RouterOS.

All in all: keep in mind that you’ve been playing with the product for 12 hours. It’s a proper, mature, grown up routing and wireless platform. People spend years doing nothing but learning this stuff professionally. If you’re already very familiar with networks and other vendors you’ll be picking things up quicker. If you’re not, it’ll take time. This is a product for a field that people have as a primary profession. It’s not that easy to use simply because the subject matter isn’t easy. But people generally will be friendly and helpful as you’re trying to figure out how to do things. You may also want to consider attending a training class. http://www.mikrotik.com lists training partners and training dates.

Excellent post, by the way. The right amount of detail, no getting hung up on how you think a solution should be approached, clear, concise questions, and a network diagram. If you post future questions in the same manner you’ll have no problem getting quick and good help in this forum.

Oh, and just cause: If you’re going to start using the platform seriously (even as you’re really going into lab scenarios rather than just evaluating) I honestly believe you’ll be better off ditching Winbox and using the CLI as much as you can. Winbox is an awesome tool for monitoring and adjusting configuration, but the CLI is a lot better for initial configuration, complicated tasks that change more than one configuration item at once (see a random example that doesn’t apply to you below), and of course is about the only thing that’ll help you in true emergencies where all you have is a serial cable. It’s better to get good at it early.

Others probably disagree with that.

Here something simple yet cool you can do with the CLI. The below turns all DHCP leases for hosts that have the word ‘iPhone’ in the name to static leases (where the same MAC address always gets the same IP address, and the IP won’t ever be assigned to anyone else):

/ip dhcp-server lease { make-static [find host-name~"iPhone"] }

One line that could affect hundreds or thousands of leases in a list of tens of thousands. Hella useful.

It also helps with communication in the forums. Screenshots are OK, but at the end of the day suck. Your firewall rule screenshot shows only one of 5 possible tabs (and only shows one rule of potentially dozens or hundreds). A simple “/ip firewall filter export” would show everything there is to know about the ruleset in a clear and concise way. Similarly it’s easier for someone helping you to write some CLI code you can copy/paste after potentially adjusting it rather than show you screenshots or describe verbosely in words which fields to fill out. The GUI and CLI mostly are 1:1 translations of one another so jumping between the two isn’t hard when you have to.

Wow! Thank you for taking the time to reply with such extended explanations. I’m working through it all now. You provided just the right amount of information to force me to still have to dig around, but have a better understanding of how things work. Will address the other points as well in a bit.

100% correct on the using the CLI bit. GUI is an old, comfortable habit, too comfortable. You can accomplish a whole lot of things much easier using it versus a GUI which amy or may not have an interface for what you’re trying to do. Learned this the hard way with Exchange Powershell.

I will post back a more extended explanation on my progress soon. I’d like to update this topic for others to read / learn as i do. What i’m doing isn’t THAT advanced compared to the real “grownup” stuff so perhaps it will provide a good base for others.

Appreciate the acknowledgment on the format of my post. Read through the sticky and the linked article first. This isn’t a place to muck around and then need help…

Thank you again.

Fantastic! I can now access the network from my home and office.

Just want to confirm i understand these commands. I’m going to write an english explanation for each.

/ip firewall address-list
add list=admin-networks address=1.1.1.0/24
add list=admin-networks address=2.2.2.0/24

Add 2 addresses to the address list and give them same label “admin-networks”. Any other addresses added to the list with that same name can all be referenced as one object later.

add chain=input connection-state=established action=accept

Accept all established incoming connections to the router This should allow everything in, then the other filters decide what’s really allowed in?

add chain=input connection-state=related action=accept

I’m actually not sure what this does… Seems like it’s just good to have in there?.

Related is defined as “a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection”.

add chain=input connection-state=invalid action=drop

If the packet can’t be sorted by any of the filters, drop it.

add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 src-address-list=admin-networks action=accept

Accept all TCP connections destined for ports 21,22,23,80,443, and 8291 from IP’s on the address list labeled with “admin-networks”.

add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

Drop all TCP connections for ports 21,22,23,80,443, and 8291. This drops everything, but the other rule over-rides it with the address list specification.

No accepted is accepted. This is packet filtering so it says; If the packet is part of an established connection allow it. The key bit is that you can limit how connections are established.

This allows packets that are related to an established connection. Some IP services use a pair of ports and respond on a different one than the outgoing request, or segregate control and data like FTP, or …

IIRC if the connection tracking can’t classify it as NEW, ESTABLISHED, RELATED, or …

Yes.

Anything that didn’t match the addresses in the rule above gets bit bucketed here.

Awesome, Thanks. I just need clarification on one of the explanations…

Before i added in this rule, i was still able to administer the router remotely wether it was from Webwig, Winbox or SSH.
I would think that if this rule wasn’t created, SSH for example shouldn’t work.

Doesn’t each establish a connection, then send and receive data continually on that connection?
Are these services exempt from filter rules?
If packets or traffic dont violate any of the rules, isn’t the action of them being accepted assumed?

Excuse the many questions for what looks like the simplest rule in the list. Am just a bit fuzzy, cant move on until i’ve understood all this 100%.

Any thing that falls off the end of the list of rules is allowed.

So the default firewall config allows ICMP (pings and such) to the router itself (the input chain), and anything from established or related connections, then drops anything else from the “external” WAN interface. This still allows connections from the internal interfaces.

Basically it’s like there’s a final implicit accept rule at the end of each chain. Here’s an example with comments…

/ip firewall filter
add chain=input action=drop src-address-list=blacklist comment="Drop anything from blacklisted addresses"
add chain=input action=drop connection-state=invalid comment="Drop invalid connections"
add chain=input action=accept connection-state=established comment="Allow established connections"
add chain=input action=accept connection-state=related comment="Allow related connections"
add chain=input action=accept protocol=icmp comment="Allow ping and the like"
add chain=input action=drop in-interface=ether1-gateway comment="Drop anything else aimed at the router from outside"
# Anything else that reaches here (i.e. from one of the internal interfaces) is implicitly accepted.

add chain=forward action=drop src-address-list=blacklist comment="Drop anything from blacklisted addresses"
add chain=forward action=drop dst-address-list=blacklist comment="Drop anything to blacklisted addresses"
add chain=forward action=drop connection-state=invalid protocol=tcp comment="Drop invalid connections"
add chain=forward action=jump in-interface=ether1-gateway jump-target=customer comment="Anything else from outside goes to the customer chain"
# Anything else that reaches here (i.e. from one of the internal interfaces) is implicitly accepted.

add chain=customer action=accept connection-state=established comment="Allow established connections"
add chain=customer action=accept connection-state=related comment="Allow related connections"
add chain=customer action=drop comment="Drop anything else forwarded from outside"

Hello Again

I haven’t had the extra time to sit and tinker. Plan to do so tonight and tomorrow.

It seems that i’ve done something wrong. ROuter cant ping googles DNS or any other IP. It jsut says “no rout to host”. I checked the routing table and everything looks fine. Not sure what’s wrong.

I dont want to just wipe the thing becuase i need to know how to fix this should it happen in a production enviroment.

If anyone has a suggestion, feel free to chime in.

2 NICS
External and Internal
Static IP on the External.
10.66.89.1/24 on the internal.
Can ping my ISP’s assigned gateway and thats about it. Nothing else will ping. not their DNS, Googles DNS, my other static IPs, nothing.

Post your config - facts are better than guessing. “/interface print detail”, “/ip adress print detail”, “/ip route print detail”, “/ip dns print detail”, and “/ip firewall export”, wrapped in

 tags.

Yes Sir.

I cant access the box by anything other than VM Console. So here are screenshots.

http://i.imgur.com/wuK99.png

http://i.imgur.com/IGddL.png

/ip dns print detail doesn’t wrok for one reason or another so i just did basic print.

Dont hax me bro!

You don’t have a default route installed, so the router doesn’t know how to send packets to anywhere but the /26 you have an IP address on. Assuming your public IP address is static and the WAN gateway is 24.38.66.193 (adjust as required):

/ip route add dst-address=0.0.0.0/0 gateway=24.38.66.193

Otherwise set the ‘add-default-route’ property of the DHCP client on the WAN interface to ‘yes’ to automatically insert a dynamic default route.
Sooner or later you’ll probably also want to NAT out the WAN interface. For a static IP of 24.38.66.239 that would be:

/ip firewall nat add chain=srcnat out-interface=EXTERNAL action=src-nat to-address=24.38.66.239

For a DHCP WAN IP change that to:

/ip firewall nat add chain=srcnat out-interface=EXTERNAL action=masquerade

http://wiki.mikrotik.com/wiki/Manual:IP/Route#Default_route
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Source_NAT

To protect the router from malicious access start implementing firewall rules in the input chain as discussed in this thread.

You sir get a cookie. That worked perfectly. Thank you very very much.

Is this something that must always be added manually? Or did i delete at some point?

General network question:

The external IP i’ve used is 24.38.66.239/26

When i’ve added it to the address-list for the External interface it reads: 24.38.66.192.

What does this address do? The gateway my ISP gave me is .193. I thought maybe i was wrong on that and the router corrected me and replaced it with 192?

Filters will be added now… They were in there but i removed them thinking they may be the cause for this issue. Turns out it was the bit between the keyboard and the chair.

Thank you again for your help. This form has been invaluable.

Is this something that must always be added manually? Or did i delete at some point?

If your IP address is static it must be entered manually.

The external IP i’ve used is 24.38.66.239/26

When i’ve added it to the address-list for the External interface it reads: 24.38.66.192.

If you’re talking about the ‘network’ parameter of the IP address item (“/ip address”) for that interface, that is the network address. If you don’t know what that means you should read up on subnetting and TCP/IP in general - that’s too basic to be within the scope of this forum, I’m afraid. Maybe pick up a copy of “Computer Networks” by Tanenbaum, or the Cisco Press CCNA books.

Ahh, Now i understand. I’ve never seen things written, or displayed as they are in RouterOS. Like i said earlier i’m coming from Untangle, Linksys, Cisco SMB, etc. Stuff with a nice pretty GUI which hides all the nitty-gritty. /26 is the CIDR which is 192

Hurr Durr.

ONWARD! >>>>

Greetings once again!

I’ve been making steady progress on my experiments. My recent task has been to create an IPSEC VPN between 2 routers.

It turns out though that i am unable to ping each router from the other. I receive “Admin Prohibited”.

This also happens when all firewall rules are disabled on both routers.

Below are the configs for both boxes. Please let me know if i’m missing anything.

------ROUTER 1 CONFIG-----
/ip route print

0 A S  0.0.0.0/0                          24.38.66.193              1
 1   S  0.0.0.0/0                          24.38.66.239              1
 2 ADC  10.66.89.0/24      10.66.89.1      Internal                  0
 3 ADC  24.38.66.192/26    24.38.66.238    External                  0

/ip ipsec peer print

 0   address=24.38.66.239/32 port=500 auth-method=pre-shared-key secret="XXXXX" generate-policy=no 
     exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey 
     hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
     dpd-maximum-failures=5

/ip ipsec policy print

Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=10.66.89.0/24 src-port=any dst-address=10.66.90.0/24 dst-port=any protocol=all 
     action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=24.38.66.238 
     sa-dst-address=24.38.66.239 proposal=default priority=0

/ip firewall export

/ip firewall address-list
add address=24.38.66.235 disabled=no list=VHSAdmin
add address=24.184.13.187 disabled=no list=VHSAdmin
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no dst-port=21,22,23,80,443,8291 protocol=tcp src-address-list=\
    VHSAdmin
add action=drop chain=input disabled=no dst-port=21,22,23,80,443,8291 protocol=tcp
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=10.66.90.0/24 src-address=10.66.89.0/24
add action=masquerade chain=srcnat disabled=no out-interface=External
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

------ROUTER 2 CONFIG-----
/ip route print

0 A S  0.0.0.0/0                          24.38.66.193              1
 1   S  0.0.0.0/0                          24.38.66.238              1
 2 ADC  10.66.90.0/24      10.66.90.1      Internal                  0
 3 ADC  24.38.66.192/26    24.38.66.239    External                  0

/ip ipsec peer print

0   address=24.38.66.238/32 port=500 auth-method=pre-shared-key 
     secret="XXXXX" generate-policy=no exchange-mode=main 
     send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" 
     proposal-check=obey hash-algorithm=md5 enc-algorithm=3des 
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
     dpd-maximum-failures=5

/ip ipsec policy print

0   src-address=10.66.90.0/24 src-port=any dst-address=10.66.89.0/24 
     dst-port=any protocol=all action=encrypt level=require 
     ipsec-protocols=esp tunnel=yes sa-src-address=24.38.66.239 
     sa-dst-address=24.38.66.238 proposal=default priority=0

/ip firewall export

/ip firewall address-list
add address=24.38.66.235 disabled=no list=VHSAdmin
add address=24.184.13.187 disabled=no list=VHSAdmin
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no dst-port=21,22,23,80,443,8291 \
    protocol=tcp src-address-list=VHSAdmin
add action=drop chain=input disabled=no dst-port=21,22,23,80,443,8291 \
    protocol=tcp
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=10.66.89.0/24 \
    src-address=10.66.90.0/24
add action=masquerade chain=srcnat disabled=no out-interface=External
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

Any ideas?

Google has told me about a very helpful fellow who can be found here:

http://gregsowell.com/?p=1290

Got a basic IPSec VPN up in no time. Ordered a second 750GL to test Site2Site between my office and my home.

The more time i spend with this product the more i love it. <3