Beginner needs help with configuring mikrotik

mdante · September 13, 2012, 8:32am

Good day to everyone.

I just bought a mikrotik RB. 1200.
Until now i used the modem → computer, to access the Internet.
My friends and i have gathered the money to buy this mikrotik.

We wanted to go over this MT on the internet.

They all dragged from their homes UTP cable up to my room on the floor. Length of all cables not exceed 80 m. and has a total of 4 cables in my room.
My internet provider gave me a public IP address and default gateway.
I have my DNS server and file server.

I’d like on ethernet 1 to put the isp cable
on ethernet 2 cable would put my cable
on ehternet 3 derek’s cable
on ethernet 4 Roger’s cable
on ehternet 5 soffy’s cable
on Ethernet 6 grilfriend’s cable

I would like to use my dns server for internet for all friends but I would not wanted to see ass in the network. Just to use my dns server.
PLease help me with configuring mikrotik because I did not proficient enough with networks and this kind of routerboard “at all”.

docmarius · September 13, 2012, 9:32am

You have to provide a little more information here…

Every friend has its own ISP connection?
Do you want to see their computers on the network?
Do they need to see each other on the network?
Do you need to exchange data with them?
Do they need to exchange data between them?

There are a lot of scenarios here.

mdante · September 13, 2012, 10:17am

Docmarius, thank you for your fast answer.

Only i have isp connection and i wont to share it on all others. So i upgraded internet speed and now i need to share internet link with friends.
I dont wont to see their computers on my network i only need to route internet trafic from my isp to them.
They dont wont to see each other on the network for now, only to have acces for internet.
We dont need to exchange no data for now
They dont need to exchange data between them for now

mdante · September 13, 2012, 10:38am

I named interface like this:

Ethernet 1 = ISP_Provider
Ethernet 2 = Home
Ethernet 3 = Derek
Ethernet 4 = Roger
Ethernet 5 = Soffi
Ethernet 6 = Love

Ip addresses:
Mine: 192.168.0.1/24 network 192.168.0.0 Interface Home
I dont know what for ip address and subnets to give them and how to add.

For security: Indentity was changed to danta_home and i setup a password for admin account to secure.

Thats what i success to learn and to make for now.

docmarius · September 13, 2012, 12:59pm

To reach your goal, i would suggest you to set up a /24 subnet for each.
Like:
ether2 - home, 192.168.0.1/24
ether3 - derek, 192.168.1.1/24
ether4 - roger, 192.168.2.1/24
ether5 - soffi, 192.168.3.1/24
ether6 - love, 192.168.4.1/24
To add addresses use:

/ip address add address=192.168.1.1/24 comment="derek" interface=ether2 network=192.168.1.0

And alocate manually IPs in the respective subnet for their computers.
Default gateway and DNS shall be the router IP as listed, for each network.

Set up your ISP access on ether1 (or PPoE or whatever your provider needs).
Make the default gateway for the router that interface:

/ip route add dst-address=0.0.0.0/0 gateway=INTERFACE-NAME

and add a masquerade rule to allow NAT to your ISPs network - use either ether1 if connected directly, or the proper interface name for PPPoE, L2TP or whatever is needed:

/ip firewall nat add action=masquerade chain=srcnat out-interface=INTERFACE-NAME

Add a generic firewall forward rule:

/ip firewall filter add action=accept chain=forward in-interface=INTERFACE-NAME
/ip firewall filter add action=accept chain=forward out-interface=INTERFACE-NAME

Also add a rule to be sure to be able to access your router from inside:

/ip firewall filter add action=accept chain=input src-address=192.168.0.0/16

Enable DNS server in /ip dns and allow remote requests.
This should get you going.
As long as you don’t set forward rules between your internal interfaces, access between subnets is not possible.
Next step is to tweak your firewall for some protection… Don’t forget this!
At least drop incoming connects on external interface:

/ip firewall filter add action=drop chain=input in-interface=INTERFACE-NAME

After startup, use winbox to set up the router. It is much more user friendly!

Have fun!

mdante · September 13, 2012, 4:12pm

Thank you so much mister!
I only dont wont to use my isp dns i would like my friends and me use my dns server in room how can i make that ?

I manage to make something can you look and tell me is this ok ?

Address

ip address add address=192.168.0.1/24 comment="Home" interface=ether2 network=192.168.0.0
ip address add address=192.168.1.1/24 comment="Derek" interface=ether3 network=192.168.1.0
ip address add address=192.168.2.1/24 comment="Roger" interface=ether4 network=192.168.2.0
ip address add address=192.168.3.1/24 comment="Soffy" interface=ether5 network=192.168.3.0
ip address add address=192.168.4.1/24 comment="Love" interface=ether6 network=192.168.4.0

Masquarade

ip firewall nat add action=masquarade chain=srcnat out-interface=isp src-address=192.168.0.0/24
ip firewall nat add action=masquarade chain=srcnat out-interface=isp src-address=192.168.1.0/24
ip firewall nat add action=masquarade chain=srcnat out-interface=isp src-address=192.168.2.0/24
ip firewall nat add action=masquarade chain=srcnat out-interface=isp src-address=192.168.3.0/24
ip firewall nat add action=masquarade chain=srcnat out-interface=isp src-address=192.168.4.0/24
ip firewall nat add action=masquarade chain=srcnat out-interface=isp src-address=192.168.5.0/24

Filter Rules

Drop & reject:

ip firewall filter add action=drop chain=forward p2p=allp2p
ip firewall filter add action=reject with=icmp host unreacheble chain=input in-interface=isp protocol=icmp
ip firewall filter add action=drop chain=input in-interface=isp conection-state=new
ip firewall filter add action=drop chain=input in-interface=isp

Accept:

ip firewall filter add action=accept chain=input in-interface=Home
ip firewall filter add action=accept chain=input in-interface=Derek
ip firewall filter add action=accept chain=input in-interface=Roger
ip firewall filter add action=accept chain=input in-interface=Soffi
ip firewall filter add action=accept chain=input in-interface=Love

docmarius · September 13, 2012, 6:52pm

I think you have to add the forward rules as in my first post, since I think that forward is not active on default:

/ip firewall filter add action=accept chain=forward in-interface=isp
/ip firewall filter add action=accept chain=forward out-interface=isp

To use your own DNS, just add its IP as the only server in /ip dns and drop the others, so the routers DNS will forward the requests to yours,
But don’t forget, you have a full DNS server on the router, so maybe you can drop your other server

By the way, you have to use the interface names on the firewall rules, not the one from the comments (i think you could rename them if you like… Maybe you have already done that).

ip firewall filter add action=accept chain=input in-interface=ether2
ip firewall filter add action=accept chain=input in-interface=ether3
ip firewall filter add action=accept chain=input in-interface=ether4
ip firewall filter add action=accept chain=input in-interface=ether5
ip firewall filter add action=accept chain=input in-interface=ether6

This is also true for the interface “isp”…

If it works for you and you do the same settings for all subnets, then it also should work for your friends.