Mikrotik RB750 setup

[Tman*]

Hi Guys,

From my previous thread, (http://mybroadband.co.za/vb/showthread.php/622243-Blocking-p2p) Ive purchased a Mikrotik RB750 and I desperately need some advice on the setup.

Current setup: Dlink ADSL modem > TP-link Wifi AP > Users (connect via WiFi, unit is set to static IP)
Intended setup: Dlink ADSL modem > Mikrotik Rb750 > TP-link WifI AP > Users (connect via WiFi)

Dlink ADSL modem:
• Currently the modem has an IP of 192.268.1.1, DHCP is active on the unit. I have also successfully configured a bridge connection that seem to work I set up pppoe on the Mikrotik unit.
• Current challenges: Moving forward I am unsure if I need to use the bridge connection. Also, I am not sure if I should disable DHCP seeing that the Mikrotik is going to do that?

TP-Link WiFi AP:
• Currently the TP-link is set up with a static IP of 192.168.1.3 and DHCP is disabled. Users connect via MAC address filtering that is configured via the unit.
• Challenges: I am not sure if I am going to keep the static IP, and Ideally I also want the Mikrotik router to take care of the MAC address filtering.

Mikrotik Router:
• Basic setup: From the research Ive conducted Ive come to the conclusion that there are 2 possible ways of setting up the unit in the configuration I intend to use it. 1. Would be to simply assign IP’s, DHCP, and a default route. 2. Would be to configure a pppoe and use it in that manner.

• Currently: Im comfortable with the winbox interface, and I can follow basic tutorials and instructions. Ive set up the basics like NTP, clock, interface names, passwords etc. Ive also managed to configure a few IP’s, play around with DHPC, DNS, PPP, and routes.

• What I want to do: Apart from getting the router up and running...
1. I want to enable firewall rules to block p2p. Ive already found a link with instructions, http://forum.mikrotik.com/viewtopic.php?t=21178
2. Additionally I would like to set up a schedule to block p2p only during certain times.
3. I also found out that it might be a good idea to enable a few basic firewall rules, already found some instructions, http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script
4. Add users via MAC address filtering.

• Current challenges: I haven’t been able to get the router up and running yet (without running any firewall rules or MAC address filtering) so that would be a great start. If someone can please shed some light on the process I should follow, including the IP’s, routes, DHCP etc etc. There are tons of tutorials online, but they contain conflicting info. After that, I will start playing around with the firewall, and hopefully the MAC address filtering.
• Step 1: If someone can please tell me if I need to adjust the settings on my existing DLink router, and TP-link AP?
• Step 2: starting with adding some IP’s, routes, DHCP, DNS etc etc

 

[zitherian]

Hi,

I would do the following :

1. Disable the DHCP on the DLink Modem. Keep the WIFI AP as 192.168.1.3
2. Keep the modem in bridge mode otherwise the Mikrotik won't be able to make a connection.
3. Setup NAT so you internal users have internet access. This is src-nat on Mikrotik.
4. Setup default route on the mikrotik pointing to your PPPOE interface.
5. Setup DHCP on your mikrotik from say 192.168.1.100-200 with mikrotik as gateway.
6. Setup DNS on mikrotik to google.

You will need some firewall rules ASAP as you will be open for attacks.

 

[eddief1]

1) First setup modem in bridge mode without rb750, test using a computer to dial PPPOE and see if link is established.

Assuming the following:

*Modem is plugged into ether1
*ether2-ether5 are LAN ports in switch group

1) Setup LAN Ports

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local

2) Setup local IP

/ip address
add address=192.168.1.1/24 comment="default configuration" interface=ether2-master-local network=192.168.1.0

3) Setup DHCP Pool:

/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.150

4) Setup DHCP Server:

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=default
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=192.168.1.1 gateway=192.168.1.1

4) Setup PPPOE Connection

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
default-route-distance=1 dial-on-demand=no disabled=no interface=\
ether1-gateway keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 \
name=pppoe-out1 password= profile=default service-name="" \
use-peer-dns=yes user=

5) Setup NAT

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1 to-addresses=0.0.0.0

6) Setup Firewall

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1

I probably missed some stuff but those are the basics, remember to start with a clean RB750 with no config present.

NB remove the "|" created by the forum quote system

 

[Tman*]

Thanks for the feedback so far guys, Ill test tonight and post feedback here

 

[Tman*]

Thanks again for the advicee, so far this is what I have done:

Dlink ADSL router:
Bridge mode, check, DHCP disable, check. DSL connection active, check

Mikrotik router
1. System, reset defaults
2. NTP server, clock, and password set
3. Defult IP's: 192.168.1.1/24 for ether1(gateway), and 192.168.1.0 for ether2(master) set
4. DHCP pool: 192.168.1.100-192.168.1.150 set
5. DHCP Server: 192.168.1.0/24, dns-server=192.168.1.1, gateway=192.168.1.1
5. PPPOE Client: added my ISP username and password, "use peer DNS ticked", "ether1" is interface. This seems to be working because in the log it says: "connected and authenticated" and in the interface menu the TX & RX is running.
6. NAT: Ive configured the NAT in firewall where the PPPOE interface is set as "out interface", and "action" is masquerade. This also seems to be working, in the stats menu the there are packets moving.
7. In "New terminal" I ran the suggested firewall rules, they all seem to be active.

In the interface menu I can see TX and RX packets moving back and forth, but my laptop still has no internet connectivity :/ I just get the orange "!" in the bottom right hand network icon.

Suggestions, advice?

edit: I can ping google in winbox, but not in cmd
also, what about dns and default routes?

 

[eddief1]

On the PPPOE interface make sure "add default route" and "use peer dns" is ticked

Regarding DNS, make sure "Allow remote requests" is ticked and that DHCP is giving out a gateway and dns server to your client machines...if you struggling, export and post your config here.

Make sure your ports are in the correct switch group

/export compact file=filename

EDIT: Take the IP address off your ether1(gateway) interface also, it is not necessary as your ADSL router is going to be a "dumb bridge" also an IP of 192.168.1.0 is not a valid IP, use 192.168.1.1 on ether2

 

[Tman*]

Thanks for the help Eddie

Ill double check the details you mentioned, and post the config here...

On the PPPOE interface make sure "add default route" and "use peer dns" is ticked

Regarding DNS, make sure "Allow remote requests" is ticked and that DHCP is giving out a gateway and dns server to your client machines...if you struggling, export and post your config here.

Make sure your ports are in the correct switch group

/export compact file=filename

EDIT: Take the IP address off your ether1(gateway) interface also, it is not necessary as your ADSL router is going to be a "dumb bridge" also an IP of 192.168.1.0 is not a valid IP, use 192.168.1.1 on ether2

 

[eddief1]

The main issue you have is the IP address on your ether2 is not valid.

 

[Tman*]

On the PPPOE interface make sure "add default route" and "use peer dns" is ticked

Regarding DNS, make sure "Allow remote requests" is ticked and that DHCP is giving out a gateway and dns server to your client machines...if you struggling, export and post your config here.

Make sure your ports are in the correct switch group

/export compact file=filename

EDIT: Take the IP address off your ether1(gateway) interface also, it is not necessary as your ADSL router is going to be a "dumb bridge" also an IP of 192.168.1.0 is not a valid IP, use 192.168.1.1 on ether2

PPPOE: "add default route" and "use peer dns" ticked

DNS: "Allow remote requests" ticked

"DHCP is giving out a gateway and dns server to your client machines" < not too sure about this?

Ether1(gateway): Ive removed the IP adress.

Ether2: The Dlink router is on 192.168.1.1, and the TP-link is running on 192.168.1.3. Ive used 192.168.1.4 for the mikrotik.

How do I export the file, and post it here? I used the /export command in new terminal and its more than 13 000 characters...

 

[Tman*]

Right, Ive finally managed to get my Mikrotik Router running the configuration mentioned in my 1st post. Although this task was somewhat challenging, it wasn’t impossible.

Initially I thought I’d be able to watch a few online tutorials, and figure the rest out – big mistake. As someone coming from a non-IT and Networking background the learning curve was quite steep. Luckily some local MyBB forumites responded to this thread, as a big thank you I’d like to share my configuration with any other individuals also thinking of a similar setup, but don’t necessarily have the required skills to do so.

As I mentioned above, I am by no means an IT or Networking expert. If you are, and you feel that some of my information is incorrect or misleading, please correct me.

Starting off:

If you are like me, you don’t really know much about IP addresses or DNS servers etc. Its quite important to familiarise yourself with a few of these terms & lingo before attempting a project. Ill try to be as descriptive as possible on each term as I go through my setup. Please make sure you have a basic understanding of the at least the following terms: IP address (dynamic & static), DHCP, DNS, PPPOE, Firewall & NAT.

Hardware pre checks:

There could be various reasons why you want to place a Mikrotik router between your existing DSL router and an Access Point (AP). In my case I primarily wanted to block p2p and restrict bandwidth.

Before you start you need to make sure that your existing DSL router can run in bridge mode. In your initial configuration with your DSL router you can tick a box between options like “PPPOE” & “Bridge”. This will be on the same tab/page that you insert your ISP username and password. Once I configured my router in Bridge mode it was running an IP of 192.168.1.1

For my project I used a TP-link Wifi AP. I don’t think the setup will be much different if you use another brand, just be sure to assign a static IP in the same range. In my case I used 192.168.1.3

On the subject of DHCP. I left DHCP off on both my DSL router & my WiFi AP, as I wanted the Mikrotik router to take care of that. Your configuration might differ, depending on your needs.

Winbox:

Be sure to familiarise yourself with the Winbox interface before starting. I watched a 40minute tutorial on YouTube and I played around with the settings as I watched the video. (link: https://www.youtube.com/watch?v=ulDefmf1ces) Afterwards I felt quite comfortable and I was ready to start. Please note that Steps 1 – 4 are discussed in detail in the video, so please watch it for instructions.

Apart from getting comfortable with the different tabs in Winbox, it’s also important to note the following:

• New Terminal: You can either configure your settings manually, or you can simply paste them into “New Terminal” and hit enter. Think of it as the CMD version of your Mikrotik router.
• Login and Password: During the setup phase Winbox can give you some trouble when you try to login, especially when you just changed IP addresses. For this reason, I always clicked on the MAC address of the router when I wanted to login, as opposed to the IP address.
• Log: Once you start configuring your Mikrotik router you can see the changes made in the Log tab.
• Save & Restore: It’s very important to save your configuration as you go along. You can save your configuration by pasting “/export compact file=” without the “” in New Terminal. Be sure to add a file name for example “test1” to each save. It should look like this in New Terminal before you hit enter: /export compact file=test1. Once your file is saved you can view it in the “File” tab. Be sure to drag and drop a copy of your saved file to your desktop.

Winbox pre setup:
Step 1: Reset your router to the default configuration
Step 2: Set up NTP servers & Clock
Step 3: Change Password
Step 4: Save Configuration

Configuring your Mikrotik Router:

Once you have completed the “Winbox pre setup” above its time to configure your Mikrotik router. Remember to save as you go along.

Step1: Configure your interface

/interface Ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local

Step 2: Configure your PPPOE. Note: If you PPPOE is working you should be able to see it ‘dialling’, ‘connecting’ and ‘authenticating in the Log in Winbox. If this is not the case, you need to check your PPPOE settings in Winbox, and make sure your DSL router is in bridge mode’)

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway mrru=1600 \
name=pppoe-out1 password=ReplaceWithYourISPpassword use-peer-dns=yes user=\
[email protected]

Step 3: Configure IP Pool: Note: This is the pool of IP’s that your DHCP server will give out once users start connecting. In my case, I chose 100-159 in my IP range.

/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.159

Step 4: Add local IP address. Note: I only added a default IP address for “Ether2”. My “Ether1” is the Gateway (where the DSL is plugged in) and for my configuration, I don’t need to assign an IP for “Ether1”

/ip address
add address=192.168.1.1/24 interface=ether2-master-local

Step 5: Configure DHCP server

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=\
default
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.1.1 gateway=192.168.1.1

Step 6: Set DNS settings. Once my PPPOE connected and authenticated my DNS server settings were automatically configured. Depending on your ISP you might need to configure DNS, you can look at adding a public or Google DNS. Click here for more info: http://www.afasterinternet.com/howitworks.htm If your DNS settings were added automatically I wouldn’t adjust them, unless you know what you are doing.

Step 7: Configure basic firewall: Note: this is the most basic Firewall you can get. Depending on your setup you might need additional Firewall rules, I found some pretty nifty Firewall rules here: http://klseet.com/index.php/mikrotik/mikrotik-rb750-750g/mikrotik-rb750-basicfirewallsecurity

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
pppoe-out1

Step 8: Configure basic NAT:

ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1 to-addresses=0.0.0.0

Step 9: Configure p2p blocking: Note: In my case I wanted to block p2p. I found these scripts here: http://forum.mikrotik.com/viewtopic.php?t=73462 Ive tested them on both PC & Mac forcing encryption and randomising ports, and it does seem to work pretty well. This is not a fool proof method though, I would encourage you to investigate other methods too.

/ip firewall filter
add action=drop chain=forward comment="TORRENT No 1: Classic non security torrent" disabled=no p2p=all-p2p
add action=drop chain=forward comment="TORRENT No 2: block outgoing DHT" content=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=forward comment="TORRENT No 3: block outgoing TCP announce" content="info_hash=" disabled=no dst-port=2710,80 protocol=tcp
add action=drop chain=forward comment="TORRENT No 4: prohibits download .torrent files. " content="\r\nContent-Type: application/x-bittorrent" disabled=no protocol=tcp src-port=80
add action=drop chain=forward comment="TORRENT No 5: 6771 block Local Broadcast" content="\r\nInfohash:" disabled=no dst-port=6771 protocol=udp

Testing Phase & other Tips and Tricks:

Once you have configured the basics above your Mikrotik router should be up and running.

I found the following quite helpful in the testing phase:
1. If you want to see more info on the IP’s assigned to the users on your network you can go to DHCP server, and click on Leases.
2. If you want to see the how much data each IP is using you can paste: “/tool torch src-address=0.0.0.0/0” into New Terminal.
3. If you want to see the CPU usage of your Router you can paste: “/tool profile” into New Terminal.

 

[grubsner]

On the subject of p2p blocking:

In case you don;t want to block p2p altogether but rather throttle the stream you can do the following:
1) Create a Mangle rule in the prerouting chain to mark the packets for all p2p traffic
2) Create a Mangle rule in the postrouting chain to mark the packets for all p2p traffic

/ip firewall mangle
     chain=prerouting action=mark-packet new-packet-mark=P2P all 
     passthrough=yes p2p=all-p2p 

     chain=postrouting action=mark-packet new-packet-mark=P2P all 
     passthrough=yes p2p=all-p2p

Under the Queue tree tab; create a P2P queue that only throttle the packets marked in the mangle rule with a priority of 8.

/queue tree
  name="All P2P" parent=global-in packet-mark=P2P all limit-at=0 
     queue=default priority=8 max-limit=64k burst-limit=0 burst-threshold=0 
     burst-time=0s

This will keep the bandwidth at specified value with the lowest priority through the router.

HTH,
Grubs

 

[ZSam]

Hi,

Quite an interesting thread as I am running a similar setup.

Question: Would this work if I set up a PPPoE server on the same MT with Ether2 as the interface where the server is and the Wi-Fi AP connected here?

Is there anything related to a PPPoE server (IP's, NAT etc.) that could interfere with the PPPoE Client on Ether1?

Thanks.