The official Mikrotik router thread

r00igev@@r

Expert Member
Joined
Dec 14, 2009
Messages
3,902
That has been fixed in 6.45.7 however. Plus, only vulnerable if a router isn't secured, ie. Winbox is exposed to the internet. Either way, always better to run the latest version on Current or Long term with decent security measures in place. Please don't expose Winbox to the internet.
Yes, and it doesn't help to just change the port number...
 

lkswan747

Expert Member
Joined
Jun 28, 2017
Messages
1,016
I would like to implement MAC Filtering on a Mikrotik router via the web configurator but I am not familiar with Mikrotik routers and would appreciate some directions (step-by-step) if possible.
It is really simple on a Ubiquiti Gateway.
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,681
I would like to implement MAC Filtering on a Mikrotik router via the web configurator but I am not familiar with Mikrotik routers and would appreciate some directions (step-by-step) if possible.
It is really simple on a Ubiquiti Gateway.
Mac filtering to do...?
 

lkswan747

Expert Member
Joined
Jun 28, 2017
Messages
1,016
Mac filtering to do...?
Restrict wireless access to the internet to only specified MAC addresses, in other words create whitelist of clients that have access to the wireless network and internet.
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,681
So everyone must be able to work internal network,only some must be able to use full internet?
It's mostly doable,but some issues you need to think about and design around

The basic part is setting up Firewall filter rules,Chain -> Forward and Action -> Drop
Now the trickier part is that you can't set up MAC lists like an IP list,so if its a small number of MACs you can add them to these rule(s) under the Advanced section
If however it might get a bit bigger i'd rather use the DHCP server with fixed addresses for deny/allow,then deny/allow a range/list of IPs from access
 

bar1

Expert Member
Joined
Sep 15, 2008
Messages
2,584
Hi, been using my Mikrotik hap2 for a while now and very happy with it.
however the wifi has been ok but definitely not awesome.
I upgraded my internet line this week and my ISP delivered a new router (i am still not sure which one, will find out later). what is the best way to add the router and keep everything else managed by the mikrotik?
 

Hamish McPanji

Honorary Master
Joined
Oct 29, 2009
Messages
38,929
Hi, been using my Mikrotik hap2 for a while now and very happy with it.
however the wifi has been ok but definitely not awesome.
I upgraded my internet line this week and my ISP delivered a new router (i am still not sure which one, will find out later). what is the best way to add the router and keep everything else managed by the mikrotik?
Are you using any port forwards?
 

Hamish McPanji

Honorary Master
Joined
Oct 29, 2009
Messages
38,929
yes i am.
Do you have the ppoe credentials from your provider? If so, you can just put them in the mikrotik, plug in fiber modem into the wan port and you'll be good to go.

How were you connected to the internet before?
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
38,764
Raspberry acting as a syslog server now so mikrotik reports to var/log/mikrotik.log
Then have a bash script to monitor for file changes and email me the changes.

Noice.
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
38,764
Is it possible to help me understand how to achieve the following:

I want to access my PI from inside and outside my network using the FQDN which is an A record to my dynamic IP.

The first part I got working, I can access the PI over Vodacom, however, if I am on the local LAN and I enter the FQDN I cannot access it.

My gut says I need a hairpin NAT, my brain has no idea what that looks like in practice.

This is the port forward I did:
add action=dst-nat chain=dstnat comment="Raspberry Pi port forwarding" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.3 to-ports=80

My current setup

Code:
/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="NTP masq when ISP block 123" protocol=udp src-port=123 to-ports=12123-12153

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=udp src-address=!192.168.88.3 to-addresses=192.168.88.3

add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=tcp src-address=!192.168.88.3 to-addresses=192.168.88.3

add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=udp src-address=192.168.88.0/24

add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=tcp src-address=192.168.88.0/24

add action=dst-nat chain=dstnat comment="Plex port forwarding" dst-port=32400 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=32400

add action=dst-nat chain=dstnat comment="Raspberry Pi port forwarding" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.3 to-ports=80

[thor@MikroTik] >
 

Hamish McPanji

Honorary Master
Joined
Oct 29, 2009
Messages
38,929
Is it possible to help me understand how to achieve the following:

I want to access my PI from inside and outside my network using the FQDN which is an A record to my dynamic IP.

The first part I got working, I can access the PI over Vodacom, however, if I am on the local LAN and I enter the FQDN I cannot access it.

My gut says I need a hairpin NAT, my brain has no idea what that looks like in practice.

This is the port forward I did:
add action=dst-nat chain=dstnat comment="Raspberry Pi port forwarding" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.3 to-ports=80

My current setup

Code:
/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="NTP masq when ISP block 123" protocol=udp src-port=123 to-ports=12123-12153

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=udp src-address=!192.168.88.3 to-addresses=192.168.88.3

add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 protocol=tcp src-address=!192.168.88.3 to-addresses=192.168.88.3

add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=udp src-address=192.168.88.0/24

add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 protocol=tcp src-address=192.168.88.0/24

add action=dst-nat chain=dstnat comment="Plex port forwarding" dst-port=32400 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=32400

add action=dst-nat chain=dstnat comment="Raspberry Pi port forwarding" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.3 to-ports=80

[thor@MikroTik] >
What are you using as your dns server on your LAN?
 

D4N_CPT

Well-Known Member
Joined
Sep 18, 2017
Messages
452
Is it possible to help me understand how to achieve the following:

....

[thor@MikroTik] >[/CODE]
If I understand your question and setup correctly, you are asking Google Maps for Directions to a Room in a hotel, while you are in the said hotel. Rather ask the hotel receptionist.

Like everything network related, you can go about this in several different ways. Easiest by far is to have a Static DNS Record on your local DNS Server with your local address, not your public one. Since your public IP is just forwarding to your local Pi anyway, the local one will always be preferred when on the local network, no routing needed.

To achieve this, add a static entry on you local DNS Server/Router for my-pi-is-bigger-than-yours.mydomain.com (<-- obviously just an example address) to point to 192.168.88.3
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
38,764
If I understand your question and setup correctly, you are asking Google Maps for Directions to a Room in a hotel, while you are in the said hotel. Rather ask the hotel receptionist.

Like everything network related, you can go about this in several different ways. Easiest by far is to have a Static DNS Record on your local DNS Server with your local address, not your public one. Since your public IP is just forwarding to your local Pi anyway, the local one will always be preferred when on the local network, no routing needed.

To achieve this, add a static entry on you local DNS Server/Router for my-pi-is-bigger-than-yours.mydomain.com (<-- obviously just an example address) to point to 192.168.88.3
Static DNS feels like a workaround.

I think I need a hairpin nat approach.

What are the pro's and cons?
 
Last edited:

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
38,764
Often the simplest solutions are the best
And if I want to have 4 raspberry Pi's how does one approach that?

Let's say I have sitea.com (443) on pi 1 and siteb.com (443) on pi 2 and sitec.com (443) also on pi 2

How do I access these sites from a single public IP on 443

Will I need a reverse proxy and if so can it be setup on pi 1 or does the reverse proxy not play well with the normal webserver?

(I am only interested in apache)
 
Top