Originally Posted By: Dignan
Originally Posted By: andym
Originally Posted By: DWallach
Wow, that RouterBoard hardware looks great and the price looks good too. Can you put OpenWRT or whatever else on it?

I think putting OpenWRT would actually be a retrograde step. It's a real double hit, great hardware matched to brilliant software.

Andy, I need some clarification: is the software brilliant, or is designed for people who are brilliant?

The latter, obviously! wink

Sorry you've had such a hard time with it, as you say there is a learning curve with the software. It's like configuring an HP ProCurve or Cisco device, it's not all wizards and stuff. Although the last time I bought one, it did have a basic config on that did NAT on a PPPoE connection, maybe they ship them completely blank now.

So, for future reference, let's assume you're just setting up a plain ordinary internet connection for a house or small office.

  • DSL/Cable connection presented as PPPoE (plugged from the modem into Ether1)
  • A private block of 192.168.x.x addresses (plugged from the switch into Ether2)
  • An FTP server in the office that needs to be accessible externally


Do a factory reset on the modem to clear out any previous config. Plug your laptop/PC into the second ethernet interface (Ether2) and run up WinBox (a free application you can download from their website). From here you should be able to discover your unconfigured router and start setting it up. Once connected, click the 'New Terminal' button to open a command line interface. Have a look in at http://wiki.mikrotik.com/wiki/Winbox for further info.

In your command window, start typing the following:

Set a password for the admin user:

Code:
/user set admin password=NEWPASSWORD


Turn off most of your possible attack vectors:

Code:
/ip service
  set telnet disabled=yes
  set ftp disabled=yes
  set www disabled=yes
  set ssh disabled=no port=22
  set www-ssl disabled=yes
  set api disabled=yes
  set winbox disabled=no port=8291


...and close off the ports on the firewall:

Code:
/ip firewall service-port
  set ftp disabled=yes
  set tftp disabled=yes
  set irc disabled=yes
  set h323 disabled=yes
  set sip disabled=yes
  set pptp disabled=yes


Set the router's IP address on the LAN:

Code:
/ip address add \
  address=192.168.0.1/24 \
  broadcast=192.168.0.255 \
  disabled=no \
  interface=ether2 \
  network=192.168.0.0


Lock down the firewall rules:

Code:
/ip firewall filter
  add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=forward comment=ICMP disabled=no protocol=icmp
  add action=drop chain=forward comment="Drop the rest" disabled=no
  add action=accept chain=output disabled=no
  add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=input comment=ICMP disabled=no protocol=icmp
  add action=drop chain=input comment="Drop the rest" disabled=no


Create a PPPoE profile:

Code:
/ppp profile add \
  change-tcp-mss=yes \
  name=dsl \
  only-one=yes \
  use-compression=default \
  use-encryption=default \
  use-ipv6=yes \
  use-mpls=no \
  use-vj-compression=default


and create a PPPoE client account:

Code:
/interface pppoe-client add \
  ac-name="" \
  add-default-route=yes \
  allow=pap,chap,mschap1,mschap2 \
  dial-on-demand=no \
  disabled=no \
  interface=ether1 \
  max-mru=1492 \
  max-mtu=1492 \
  mrru=disabled \
  name=DSL \
  password=secret \
  profile=dsl \
  service-name="" \
  use-peer-dns=yes \
  [email protected]


Add a masquerading rule:

Code:
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.0.0/24


...and finally, if you want to poke a hole in the firewall for your FTP server (which we'll assuming is running on 192.168.1.2):

Code:
/ip firewall filter
  add action=accept chain=forward comment="Access to FTP server from outside" protocol=tcp dst-address=192.168.1.2 dst-port=21


(OPTIONAL) Set up a DHCP server:

When I said RouterOS didn't have wizards, I lied a little.

Code:
/ip dhcp-server setup
Select interface to run DHCP server on

dhcp server interface: ether2
Select network for DHCP addresses

dhcp address space: 192.168.0.0/24
Select gateway for given network

gateway for dhcp network: 192.168.0.1
Select pool of ip addresses given out by DHCP server

addresses to give out: 192.168.0.10-192.168.0.254
Select DNS servers

dns servers: 192.168.0.1
Select lease time

lease time: 3d
_________________________
Cheers,

Andy M