Community discussions

 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 1:13 pm

Hello

As we all know it's very important how to configure firewall and services on our Miktotik routers.

A lot of us are using Winbox for remote administrating because its easiest, changing port from 8021 to any other doesnt rise security level. So next step is to use SSH but I read that I can't force to login using ONLY certificates (maybe I'm wrong?) so next step is VPN but here is also lack of using certyficates in client-server mode.

So how to configure router in safe mode and administarte it in case when my computer has variable IP? Could You give me/us some examples?

With regards
Slawek
 
ivicask
Member Candidate
Member Candidate
Posts: 238
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 1:17 pm

Hello

As we all know it's very important how to configure firewall and services on our Miktotik routers.

A lot of us are using Winbox for remote administrating because its easiest, changing port from 8021 to any other doesnt rise security level. So next step is to use SSH but I read that I can't force to login using ONLY certificates (maybe I'm wrong?) so next step is VPN but here is also lack of using certyficates in client-server mode.

So how to configure router in safe mode and administarte it in case when my computer has variable IP? Could You give me/us some examples?

With regards
Slawek
You can add source ip rule in NAT where u port forward the port.
In case you use dynamic ip simple add your dns name under adress list, than under nat add it to src address list.

So you will only be able to login from that IP.
 
ofer
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Wed May 23, 2018 11:45 am

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 1:32 pm

Best way would be to close all the ports from the outside then use autossh to tunnel the ssh port from behind the router to a remote location so you would actually have access to a system behind the router through ssh and then tunnel the Winbox port remotely this way nothing remains open. it can also be done with a vpn but Mikrotik doesn't support anything with a good encryption so I prefer ssh tunneling instead.
 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 1:54 pm

[/quote]
In case you use dynamic ip simple add your dns name under adress list, than under nat add it to src address list.
[/quote]

hmm interesting and easy to implement.
How often Mikrotik routers updates dns entries in address list? ie. My LTE modem got new IP evertytime its connect to network so I imagine that my IP could change few time a day and my pair dns_dane and IP changing few time a day. Is it a problem?
 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 1:56 pm

Best way would be to close all the ports from the outside then use autossh to tunnel the ssh port from behind the router to a remote location so you would actually have access to a system behind the router through ssh and then tunnel the Winbox port remotely this way nothing remains open. it can also be done with a vpn but Mikrotik doesn't support anything with a good encryption so I prefer ssh tunneling instead.
Very interesting ... Could You be more specific about autossh? Could You explain in detail how to get it working?

Regards
Slawek
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 3:44 pm

In case you use dynamic ip simple add your dns name under adress list, than under nat add it to src address list.
hmm interesting and easy to implement.
How often Mikrotik routers updates dns entries in address list? ie. My LTE modem got new IP evertytime its connect to network so I imagine that my IP could change few time a day and my pair dns_dane and IP changing few time a day. Is it a problem?
In theory IP address on clud (a.k.a. xxx.sn.mynetname.net) changes at the moment that router does update. And hopefully it does it immediately after changed WAN IP address.
When you set FQDN name instead of IP address, then RB keeps same IP address for duration of DNS record's TTL, after expiry it checks DNS record again. If I'm not much mistaken DNS records from sn.mynetname.net have TTL of 60 seconds.
BR,
Metod
 
ofer
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Wed May 23, 2018 11:45 am

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 3:49 pm

autossh rely mainly on a ssh trust between two systems for passwordless login and will initiate the ssh connection whenever it is not up
you can also configure the tunnel to "push" the local ssh port to a remote location or "push" a remote ssh port that the computer can reach to a remote server
e.g.
system behind nat (192.168.1.50) can tunnel the local ssh port (192.168.1.50:22) to a remote system port (12345) and can also push a remote ssh port to that remote system (192.168.1.150:22)
that way the trusted endpoint will have those ports available locally through ssh

documentation and howto - https://www.everythingcli.org/ssh-tunne ... t-autossh/
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 5:20 pm

So next step is to use SSH but I read that I can't force to login using ONLY certificates (maybe I'm wrong?) so next step is VPN but here is also lack of using certyficates in client-server mode.
When You add a certificate to a user the system disable password login for him. Just tested, with RoS 6.42.6, 6.42.7 and 6.43.
 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 5:32 pm

So next step is to use SSH but I read that I can't force to login using ONLY certificates (maybe I'm wrong?) so next step is VPN but here is also lack of using certyficates in client-server mode.
When You add a certificate to a user the system disable password login for him. Just tested, with RoS 6.42.6, 6.42.7 and 6.43.
I read on this forum that this option will work on ROS 7.x - interesting. I can't find it on Wiki. Maybe someone from Mikrotik could confirm is that expected behavior for next releases of RoS or just feature that they testing?

Regards
Slawek
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 7:02 pm

So next step is to use SSH but I read that I can't force to login using ONLY certificates (maybe I'm wrong?) so next step is VPN but here is also lack of using certyficates in client-server mode.
When You add a certificate to a user the system disable password login for him. Just tested, with RoS 6.42.6, 6.42.7 and 6.43.
I read on this forum that this option will work on ROS 7.x - interesting. I can't find it on Wiki. Maybe someone from Mikrotik could confirm is that expected behavior for next releases of RoS or just feature that they testing?

Regards
Slawek
They have it for quite some time. Not sure when it stared, but I used it before 6.40
 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 9:46 pm

[/quote]

They have it for quite some time. Not sure when it stared, but I used it before 6.40
[/quote]

Lets summary options:
- using dyndns on our worstation side and FQDN in firewall rules. In that case Winbox and ssh are a good options
- ssh with certificatins insted of passwords
- autossh
- vpn

So I'd like to ask You to focus on vpn configuration. Could someone show to us CLI commands to create the most secure VPN available on 6.4x RoS?

What about comparation security of VPN and SSH with certifications? Which one is more safe?

Regards
Slawek
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 9:51 pm

I'm not sure which one would be more secure. I'd go through the VPN/SSH certificate route. Just because is one more layer, before someone can do damage. First the VPN, then the SSH.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 11:17 pm

You could use a mix of
* Portknocking
* Change default port
* Set access list
* certificate
when use SSH

But I would say that the best way is to use a VPN.
Set up all remote MT to call home to a sentral server using a secure VPN.
Then you can manage all MT using this tunnel.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 11:23 pm

Set up all remote MT to call home to a sentral server using a secure VPN.
It's not a good idea in my case. I have dynamic IP at home. So I'm looking in solution to safe connect to router with static IP.

Is there a good example of VPN config? I saw a lot but without certs - could You share Your config related to VPN?


With regards
Slawek
 
pe1chl
Forum Guru
Forum Guru
Posts: 5917
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to remotely administer Mikrotik routers in safeway

Mon Sep 17, 2018 11:36 pm

It's not a good idea in my case. I have dynamic IP at home. So I'm looking in solution to safe connect to router with static IP.
Get a $3/month VPS with a static IP and run RouterOS CHR on it.
Connect a VPN from all your routers to there and also from your home.
You can also run The Dude on it for your monitoring...
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: How to remotely administer Mikrotik routers in safeway

Tue Sep 18, 2018 3:44 am

Set up all remote MT to call home to a sentral server using a secure VPN.
It's not a good idea in my case. I have dynamic IP at home. So I'm looking in solution to safe connect to router with static IP.

Is there a good example of VPN config? I saw a lot but without certs - could You share Your config related to VPN?


With regards
Slawek
Why not use the IPCloud? Just use it straight, or point a CNAME to it. Free, already installed and solves your dynamic IP problem.
 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

Re: How to remotely administer Mikrotik routers in safeway

Tue Sep 18, 2018 9:27 am

[/quote]

Why not use the IPCloud? Just use it straight, or point a CNAME to it. Free, already installed and solves your dynamic IP problem.
[/quote]

Because I prefer simple and reliable solution. Of course IPCloud (could You give us url for that?) or any other dyn_dns solution is an option but this is another point of failure...

In my opinion VPN is a best option because You can connect in secure way from any IP not only from your home.
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: How to remotely administer Mikrotik routers in safeway

Tue Sep 18, 2018 6:00 pm


Because I prefer simple and reliable solution. Of course IPCloud (could You give us url for that?) or any other dyn_dns solution is an option but this is another point of failure...

In my opinion VPN is a best option because You can connect in secure way from any IP not only from your home.
IP Cloud is native Mikrotik solution to dynamic IP. It is already installed on your device - just enable it. VPN is another service. IP Cloud just take care of name resolution for You dynamic IP.

At command line: /ip cloud
 
slv
newbie
Topic Author
Posts: 46
Joined: Mon Jun 17, 2013 8:54 pm

Re: How to remotely administer Mikrotik routers in safeway

Tue Sep 18, 2018 7:23 pm

Hello

Original question was how to protect router and connect to it from computer (not router) with dynamic IP. I can't use IPCloud on Windows 10 - do You agree?


Regards
Slawek
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: How to remotely administer Mikrotik routers in safeway

Tue Sep 18, 2018 10:53 pm

Hello

Original question was how to protect router and connect to it from computer (not router) with dynamic IP. I can't use IPCloud on Windows 10 - do You agree?


Regards
Slawek
No, I don't agree. Read the manual about it, and You will understand why. It would solve one of your problems - how to connect to a dynamic IP VPN server.

Who is online

Users browsing this forum: belits17, MSN [Bot] and 129 guests