Tips for Mikrotik Beginners

jurgenskrause · May 14, 2015, 7:11am

I have made a list of basics that is useful for new mikrotik users to know:

Topics include:

Secure
1.1 - Users and Passwords
1.2 - Access Ports
1.3 - Protect against brute force hacks
1.4 - Anonymize your connection
Manual Backups (and why a backup is not a backup)
Blocking Sites
Remote wake your computer
Remote access to your network

If you have any tips that you consider to be essential, please share them here!
http://binaryheartbeat.blogspot.com/2015/05/top-mikrotik-tips.html

TomosRider · May 14, 2015, 7:15am

Nice topic!

ZeroByte · May 14, 2015, 3:07pm

Good post.

I would like to say, though, that your recommendations about changing the service ports is a bit outdated.
Modern scans pick up everything no matter what port your service is on. The scanner fingerprints the OS from the way packet headers / sequence numbers / etc look, and fingerprints the service ports based on what the scanner sees when it connects to open ports. If it sees an SMTP banner on port 80, and the service responds correctly to “HELO somehost.example.org” guess what - it’s logging you as a mail server on port 80. Security through obscurity is not really helping much, and it makes your own life harder having to remember what ports your services really live on.

It’s better to make an IP List of trusted sources (e.g. your office’s IP, your home’s IP, etc), and only allow connections from those IPs. Use the firewall to block this, not the “from addresses” field(s) in ip services. The firewall is much more flexible. After the permanent whitelist, you can allow “transient” access by vpn, or port knocking.

I might also add that insecure services such as telnet / ftp / and www should be disabled or at least limited to ONLY the LAN interfaces.

jarda · May 21, 2015, 1:00pm

You are correct zerobytes, but all so called admins have their own learning curve. You also didn’t eat the shit of King Salomon. So didn’t I. I can admit that I am still learning. Even we are more far away in advance of most of asking people here on the forum and many of their questions look to be so funny and silly for us, just remember that you were in the same situation in the past. Me too. I had many stupid ideas and did many ridiculous things. But it is not a story of this topic.

I am also interested in performance tuning tips, even though I am playing much with firewalls to optimise them so I maybe know something now.

mrz · May 21, 2015, 3:12pm

Biggest tip for beginners is to read the manual. Answers for 90% of the questions can be found in the manual.

jarda · May 21, 2015, 4:25pm

I wish all questioners were reading the manual an used search function of the forum and googled a while before they ask.

w0lt · May 21, 2015, 4:36pm

Pick a Routerboard that has a serial port. As you learn and experiment, you can easily recover from problems without having to do a complete reset.

-tp