As the title says, I’m new to RouterOS. I’ve been in IT for almost 15 years, and have a lot of time with Cisco PIX and ASA firewalls, Watchguard, some Sonicwall, all of the consumer routers, pfSense, IPCop and probably a few I can’t think of… But RouterOS is unlike anything else I’ve worked with.

I’ve read through about 75% of ‘RouterOS by Example’, but I’m still rather lost, primarily with regards to chains and how to set them up. Exactly how to set up the wireless in a device such as the 951-2n is also on my ‘lost’ list.

Can anyone recommend some good resources that’ll help me understand how chains work and such? I could go through examples and copy them, but it doesn’t help me grasp how they work. The problem with books such as ‘RouterOS by Example’ and ‘Learn RouterOS’ is they’re expensive - If you’re looking to install and support RouterOS as a business, then they make sense, but as someone interested in learning it and deploying less than six devices, it doesn’t make a lot of sense to spend more than the cost of the device on each of the books available…

Dear friend

have you visited http://wiki.mikrotik.com/wiki/Main_Page
and also visit http://www.tiktube.com/

you will get best learning material. good luck.

I came from IPCop and I love RouterOS. I've found Greg Sowell's videos helpful. I've posted my settings below. Study them and they'll give you a good start.

1. Initial generic setup:
   http://pastebin.com/QCKcMqew

2. Firewall setup
   #Router and internal network protection, no internal servers, LAN is friendly
   /ip firewall filter
   add chain=input action=drop connection-state=invalid comment="Disallow weird packets"
   add chain=input action=accept connection-state=new in-interface=ether-LAN comment="Allow LAN access to the router itself"
   add chain=input action=accept connection-state=established comment=" ^^ that originated from LAN"
   add chain=input action=accept connection-state=related comment=" ^^ that originated from LAN"
   add chain=input action=accept protocol=icmp comment="Allow ping ICMP from anywhere"
   add chain=input action=drop comment="Disallow anything from anywhere on any interface"
   add chain=forward action=drop connection-state=invalid comment="Disallow weird packets"
   add chain=forward action=accept connection-state=new in-interface=ether-LAN comment="Allow LAN access to move through the router"
   add chain=forward action=accept connection-state=established comment=" ^^ that originated from LAN"
   add chain=forward action=accept connection-state=related comment=" ^^ that originated from LAN"
   add chain=forward action=accept protocol=tcp dst-port=80 comment="Add a filter exception for port mapped server"
   add chain=forward action=drop comment="Disallow anything from anywhere on any interface"

Port Forward (map) to an internal LAN server.

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether-WAN comment="Turn on masquerading"
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp to-address=1.2.3.4 dst-port=80 to-port=80 comment="Create an incoming port map rule"3. Qos setup:

I read half way through routeros by example then started playing. Best way imo.

nawshad, yes, I’ve looked through the wiki and so far it hasn’t helped, and tiktube doesn’t appear to have much relevant info.

pcunite, Thanks for the info. I’ll have to check out Gregs videos.

I put in your default config in my Routerboard and oddly, I lost my connection to the web interface, but was still able to ping and SSH to it so I was able to disable the last input drop rule and get access back. While this does not help me understand how chains work, from what little I do understand, the rules apply from top to bottom. When a connection matches a rule, it uses it and stops processing, so the way it SHOULD have worked is my web connection to the LAN interface should have matched the second rule (The first ‘accept’ rule) and then stopped processing, but for whatever reason, it was making it down to the last input rule and blocking my connection.

While a simple base config like you posted world work just fine somewhere like my grandparents house, and probably even at my mothers house which I have a site to site VPN to, I want to understand how chains work and how to set them up because at my home network, I have a much more complex setup - three site to site VPNs: One to my mother’s house which is bi-directional, one to my office network which is one way from my LAN to the office LAN, and one to my virtual environment in a local datacenter that is also one way from my LAN to that LAN. I also have nine VLANs, four of which currently are set up on my pfSense firewall, although I sometimes throw in another VLAN if I want to sandbox something off on a totally separate network for testing and still have internet access.

We’ll see if any of Greg’s videos help; If not, I’ll keep looking to try to understand chains. I’m pretty happy with pfSense, but the Mikrotik stuff seems really nice. I just won’t put any of it into actual use until I understand how it all works.

Because of the port 80 rule probably. The web interface listens on that same port. Or you’re using a bridge interface and do not have it listed in the rules, etc.

Can someone please give me a rundown on how the chains work and apply? I kinda understand how they flow in a real simple config (such as the 951-2n I set up that will probably end up at my grandparents), but the next thing I need to set up, if I’m going to continue down the MikroTik path, is my home network.

To give you an idea where my confusion comes in, my network is as follows: I have my WAN, obviously, I have a second WAN that I could potentially use as a backup connection, but it’s not required so we could ignore it. Then I have LAN, DMZ, Wireless, and ‘Sandbox’ VLANs that get internet access.

In the pfSense, each interface has its own tab, so I can set the rules up as needed for each tab. The wireless, for example, is allowed to go out to the internet, but has no access to any other network. The DMZ is where some internet facing servers reside, and there are a few ‘pinholes’ that allow some specific traffic to enter the LAN from the DMZ. The LAN is allowed full access to the DMZ and the internet, of course. The ‘Sandbox’ is similar to the DMZ, except it’s heavily restricted in that it’s only allowed out to the internet, and there are a few connections allowed in from the LAN, but most everything is blocked.

With RouterOS, there isn’t the same segregation with regards to the interfaces, so how do the rules apply when you have multiple VLANs that need different access? I understand that the chains are processed from the top. Placing a drop invalid packets at the top prevents those packets from being processed or acknowledged, then the allow rules as once a rule matches the traffic, it’s used and the processing stops, then finally a drop everything at the end so that anything that doesn’t match an allow rule is then dropped.

With the simple, inside/outside config U have in this 951, it’s not hard to understand. In this simple context, it’s really not that different from the pfSense in general layout. But how would this work with the multiple interfaces? In the pfSense, in essence, each interface has its own set of chains that apply to it, whereas in RouterOS, they seem to get all lumped together.

In Cisco Firewalls, the rules are also ‘lumped together’, but they are clearly applied to specific interfaces. For Example:

access-list acl-in extended permit tcp any host 1.2.3.4 eq https

That would allow https traffic in on IP 1.2.3.4.

You would also have to have a static entry for said IP:

static (inside,outside) 1.2.3.4 192.168.1.11 netmask 255.255.255.255

But you would then apply the access list to an interface:

access-group acl-in in interface outside.

So now, any ACL that uses ‘acl-in’ would apply to the ‘outside’ interface. You could then have a ‘DMZ-in’ ACL, and apply it to the DMZ interface and so on.

I also have a VPN to my mother’s house, a VPN to my datacenter server and a VPN to my companies office. Those may or may not be tough to grasp setting up on RouerOS.

Like I said, I’ve read through most of ‘RouterOS By Example’, Ive searched around, and so far, nothing has helped me understand this aspect of RouterOS. Should each and every chain entry be bound to a specific interface? Even if that’s the case, how to they fit in with each other with regards to processing? Does it not matter what is where (on the forward chain, for example) provided it’s in between the ‘invalid > drop’ and ‘drop everything’ entries?

Hi Cougar281,

I have been working with RouterOS for about 2 years and have found “RouterOS by Example” to be the best and only book for beginners. However, it has only ONE complete workable example and that example is on the author’s website. The Mikrotik reference manual does not have complete examples, only code fragments which are useless to beginners. I have received lots of help from this forum. I would say this: “RouterOS by Example” and this forum are the most valuable resources for beginners attempting to learn RouterOS.

Regards,
Don James