WereDoku

User Tools

Site Tools

Trace: mikrotik
mikrotik

This is an old revision of the document!

Table of Contents

MikroTik

Blokování stránek

facebook

/ip firewall address-list add comment="facebook" list="facebook" address=31.13.24.0/21
/ip firewall address-list add comment="facebook" list="facebook" address=31.13.64.0/18
/ip firewall address-list add comment="facebook" list="facebook" address=45.64.40.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=66.220.144.0/20
/ip firewall address-list add comment="facebook" list="facebook" address=69.63.176.0/20
/ip firewall address-list add comment="facebook" list="facebook" address=69.171.224.0/19
/ip firewall address-list add comment="facebook" list="facebook" address=74.119.76.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=103.4.96.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=129.134.0.0/17
/ip firewall address-list add comment="facebook" list="facebook" address=157.240.0.0/17
/ip firewall address-list add comment="facebook" list="facebook" address=173.252.64.0/18
/ip firewall address-list add comment="facebook" list="facebook" address=179.60.192.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=185.60.216.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=204.15.20.0/22

/ipv6 firewall address-list add comment="facebook v6" list="facebookv6" address=2620:0:1c00::/40
/ipv6 firewall address-list add comment="facebook v6" list="facebookv6" address=2a03:2880::/32

/ip   firewall filter add chain=forward src-address=LAN-Address dst-address-list=facebook action=drop
/ipv6 firewall filter add chain=forward src-address=LAN-Address dst-address-list=facebookv6 action=drop

Zdroj: ipinfo.io

LTE

T-Mobile CZ

  1. Interfaces > Add > PPP Client
    1. Name: somepppout
    2. L2 MTU / Max MTU / Max MRU: 1500
    3. Port: usbX
    4. Data channel: 0
    5. Info channel: 1
    6. APN: internet.t-mobile.cz
  2. PPP
    1. Phone: *99#
    2. Dial command: ATDT
    3. User: gprs
    4. Password: gprs
    5. User peer DNS: Yes
    6. Add default route: Yes
    7. Allow: PAP only (CHAP, MSCHAP1, MSCHAP2 unticked)

PPP VPN

  1. PPP > Profile > Add
    1. Name: someprofile
    2. Local address: local IP of the router
    3. Remote address: pool from which the remote clients will get IP addresses
    4. DNS server: optional?
    5. Protocols > Use Encryption: Yes
  2. PPP > PPTP Server (button)
    1. Enabled
    2. Default profile: someprofile
  3. PPP > Secrets
    1. Name: someusername
    2. Password: somepassword
    3. Service: PPTP
    4. Profile: someprofile
  4. In Firewall, allow:
    1. 1752/TCP
    2. 47/IP (GRE)
  5. On LAN interface, allow:
    1. ARP: proxy-arp
    2. Note: if bridged, then do this on the bridge instead of LAN interface.

Two separate connections for two separate LANs with one RouterBoard

  1. Disconnect the bridge between etherX-*-local (Interface properties - remove the Master port).
  2. Mark the packets from LAN subnets (e.g. 192.168.10.0/24 a 192.168.20.0/24): 
    /ip firewall mangle add action=mark-routing chain=prerouting \
    new-routing-mark=routing_mark_office src-address=192.168.10.0/24
/ip firewall mangle add action=mark-routing chain=prerouting \
    new-routing-mark=routing_mark_guests src-address=192.168.20.0/24
  3. Set up routing for packets marked with mangle: 
    /ip route add gateway=ether1-wan1 routing-mark=routing_mark_office
/ip route add gateway=ether2-wan2 routing-mark=routing_mark_guests

    Note: Gateway can also be a PPPoE connection (in case of DSL).

  4. Set up masquerade for the second wan interface (assuming that masquerade was set up only for the ether1-wan1).

IPv6 firewall stub

/ipv6 firewall filter
add action=accept comment="Allow ESTABLISHED (FORWARD)" chain=forward connection-state=established disabled=no 
add action=accept comment="Allow RELATED (FORWARD)" chain=forward connection-state=related disabled=no
add action=accept comment="Allow ICMPv6 (FORWARD)" chain=forward disabled=no in-interface=pppoe-out1 protocol=icmpv6 
add action=drop comment="Drop everything else (FORWARD)" chain=forward disabled=no in-interface=pppoe-out1 
add action=accept comment="Allow ESTABLISHED (INPUT)" chain=input connection-state=established disabled=no 
add action=accept comment="Allow RELATED (INPUT)" chain=input connection-state=related disabled=no 
add action=accept comment="Allow ICMPv6 (INPUT)" chain=input disabled=no in-interface=pppoe-out1 protocol=icmpv6 
add action=accept comment="Allow DHCPv6 (INPUT)" chain=input disabled=no in-interface=pppoe-out1 protocol=udp port=546
add action=drop comment="Drop everything else (INPUT)" chain=input disabled=no in-interface=pppoe-out1

L2TP + IPsec

1) Povolit IPsec na firewallu 

/ip firewall filter
add chain=input protocol=udp in-interface=ether1 dst-port=500,1701,4500 action=accept
add chain=input protocol=ipsec-esp in-interface=ether1 action=accept
add chain=input protocol=ipsec-ah  in-interface=ether1 action=accept

2) Vytvořit IP Pool - ze stejného rozsahu jako LAN (tj. třeba zkrátit ten stávající).

3) Vytvořit PPP profil 

/ppp profiles
add name=my-l2tp-profile local-address=192.168.88.254 remote-address=vpnpool dns-server=192.168.88.1 change-tcp-mss=yes interface-list=LAN

local-address = IP adresa routeru, kterou bude mít v rámci VPN, musí být mimo pool! (tj. pokud je VPN pool třeba 100-200, tak router bude mít třeba 201)
remote-address = Pool vytvořený v kroku 2
dns-server = buď adresa routeru nebo jiného DNS serveru ve vzdálené síti
interface-list=LAN = po vytvoření spojení se VPN vloží do interface listu LAN (kvůli firewallu)

4) Zapnout L2TP server 

/interface l2tp-server server
set enabled=yes default-profile=my-l2tp-profile use-ipsec=yes ipsec-secret=spolecneheslo  authentication=mschap1,mschap2

ipsec-secret = shared secret, společné pro všechny klienty

5) Vytvořit profil pro uživatele (“secret”) 

/ppp secret add name=mojekrasnejmeno password=mojekrasneheslo service=l2tp profile=my-l2tp-profile

name = uživatelské jméno, které uživatel bude zadávat při konfiguraci VPN
password = uživatelské heslo
profile = profil L2TP, který jsme vytvořili v kroku 3

6) Zapnout arp-proxy na bridge (aby router odpovídal klientům na ARP dotazy i skrze tunel) 

/interface bridge1 set arp=proxy-arp

Failover (2 WAN)

Výchozí setup: 

/ip route
add gateway=10.0.1.1 distance=1 check-gateway=ping  comment=Primary
add gateway=10.0.2.1 distance=2                     comment=Secondary

Rekurzivní failover: 

/ip route
add dst-address=8.8.8.8/32 gateway=10.0.1.1 scope=10                        comment="Validate Primary"
add                        gateway=8.8.8.8  distance=1 check-gateway=ping   comment=Primary
add                        gateway=10.0.2.1 distance=2                      comment=Secondary

Vysvětlení:

  • U výchozího setupu je problém, že MikroTik zjišťuje dostupnost Internetu jen pomocí pingu brány (tj. první hop). Pokud upadne Internet někde dále za prvním hopem, MikroTik toto nepozná a bránu (a tudíž routu) neshodí.
  • U rekurzivního přístupu se pro účely přístupu na Internet vybere spolehlivá a dostupná IP adresa v Internetu (tj. jako příklad Google DNS). Jako výchozí routa se pak použije právě tato IP, tj. dokud je Google DNS dostupné přes první rozhraní, směruje se Internet přes něj. Jakmile Google DNS přes GW1 dostupné není (linka spadla), routa se automaticky shodí a použije se GW2.
  • Nevýhoda: Google DNS NEbude dostupné přes GW2.
  • Zdroj
mikrotik.1576451113.txt.gz · Last modified: (external edit)