Difference Between MikroTik, and Cisco
In this tutorial, I will try to explain the basic configuration of the Mikrotik router. Mikrotik is a Latvian manufacturer of network equipment, and these devices are interesting because you can get a SOHO router with full enterprise capabilities for about 50 euros. In this lab, I will use the Mikrotik hEX lite RB750Gr3 router, but Mikrotik offers full enterprise-capable equipment, and it can compete with Cisco and other vendors.
With Mikrotik equipment, regardless of the device’s price, you get Router OS, an operating system with the same capabilities on a small SOHO router, or a big enterprise router that can handle several thousand users. More information about Mikrotik equipment and its software could be found at www.mikrotik.com
Mikrotik Practical Lab
I did the labs in combination, which means in the cloud, virtualization, and on a physical router. Mikrotik is basically a Router OS, hence the software. And it routes packets that enter on one and exit on the other network interface. It can work in a physical and virtual environment. I have used Amazon Web
Services in this Lab, but it can be set on any other available Cloud technology. I would also like to mention that English isn’t my first language, and therefore in this tutorial, one could find misspelled words or grammatically incorrect sentences.
By running the Winbox tool (which comes on the router itself or can be downloaded from the Mikrotik website), I can control routers that I am managing. The Managed field contains saved connections to the routers, such as the routers running in the Cloud or multiple routers, which I may have on the local network.
However, when I go to the Neighbors field, Mikrotik employs Neighborhood protocol and, on layer 2, detects if any Mikrotik router is responding by its MAC address. By clicking on the Refresh field, each Mikrotik router connected to the LAN should appear.
MikroTik Winbox Router Configuration First step
Since Mikrotik, by default, comes with the factory settings, Its IP address is set to 0.0.0.0/0, and the router can only be accessed via layer 2, i.e., via the MAC address. This connection is often volatile (which does not apply to virtualization, where it is extremely stable). However, when the configuration takes place via Ethernet or wireless, the connection will often break. For this reason, it is necessary to enable IP connectivity on layer 3 as soon as possible to establish stable communication with the physical router.
For the lab’s needs, the WAN network will be 192.168.30.0/24, which is also the local network that I use. But in the lab, it will behave as a “public” network to which the router connects. The local router, i.e., its local LAN network will have an IP address 10.30.4.0/24 and its own identity or name. I will give it a name in this way; number (two-digit) -the first letter of the name and surname as a whole. In my case, the routers name would look like this:
There must be no space in the name, and it is necessary to pay attention to uppercase and lowercase
letters, as the interface, is case sensitive. The naming standard is essential in the enterprise environment, where the infrastructure contains hundreds of network devices in several different locations. Thus, it is necessary to establish a standard for naming as well as for the IP addresses.
The first step is to connect to the router, i.e., connect to the router on layer 2 via the MAC address. By clicking on the MAC address, it becomes visible in the Connect field, and by pressing Connect, the router interface opens. Winbox connects to the router with the default username admin, for which there is no
That means, in the Login field, I type admin and click Connect. After establishing a connection, the interface of the router opens.
There are five physical interfaces on the router. The interfaces have generic names (ethernet 1, ethernet2, …), and it can be seen that there is some network traffic on the two interfaces to which the cables are connected (the letter R). Traffic is negligible on one interface, while on the other one, there is more traffic. In this case, this increased traffic is a sign by which I can determine to which physical port the computer is connected (in my case, ether 2), and that means that an interface with increased traffic is a LAN interface. After determining which interface is the LAN and which one is the WAN port, these interfaces need to be named. The naming standard I will use goes like this;
Double-clicking on the interface brings up a menu where I enter the interface’s name in the General field and confirm by pressing OK or Apply. Then in the interfaces tab, it is visible that the interface name has changed.
It is important not to use space when changing the interface name. This is the key point because if I am going to access the router console, I will have to put many quotes, parentheses, and so on to unify the syntax if there is a space in the names.
The ordinal number is quite important because if I have a switch with 48 ports, it is good to know what is connected to which port, and it is easiest to know if I give each port an ordinal number. For example, 01-DC, 02-PBX, etc.…
After naming the interfaces, the next step is to protect the router to ensure no one can access it without authorization. The first thing to do is to delete the admin account. And create my own account and password.
The username and password are set in the system tab – users.
When creating a user account, it is necessary to consider lowercase and uppercase letters since the interface is case sensitive.
After creating my account, I test it by connecting via a MAC address, using a newly created username and password.
Then it is necessary to name the router. This is done by entering the system – identity field.
I assigned the name:
This name is purely for the lab; otherwise, it would be named after the router’s function or location or according to the given naming standard. The next step is to assign an IP address to the router—the IP address which is going to be assigned on the WAN interface is going to be from a private IP range that I have in my local home network.
This local network will act as a public network. The address that will go to the WAN interface is 192.168.30.254/24 The IP address is assigned by selecting the IP – addresses field.
The next step is to allow the router access to the Internet.
I will use the ping command to check if the router has an internet connection. In the Tools menu, I select ping and type in the address I know will return the package. For example, 220.127.116.11, which is the address of Google DNS service.
To get access to the Internet, I need a Default Gateways IP address in the routing table. A routing table is a special part of the router’s operating system that deals with routes and seeks to answer the question “where to send the packet.” The routing table is located in the IP-Routes menu. Mikrotik’s Default
Gateway will be my Fritzbox router with the IP address 192.168.30.1/24, and for lab purposes, my local network will act as an Internet Service Provider.
Mikrotik router receives a Default Gateway and other credentials from the ISP by DHCP service, which is the most common in the SOHO environment. If I use a leased line, which is the enterprise environment’s case, I get my public IP address, subnet mask, and Default Gateway information from ISP. Then I need to configure this manually.
In this step, I will configure a default route to the gateway manually as I would in the enterprise environment. The routing table is currently empty, i.e., it has only one entry (image), and that entry is marked DAC, which means Dynamic, Active, Connected. A dynamic route is one that the router itself created.
After I addressed the interface and specified the subnet mask, the router had enough information to determine how it could find all the other hosts from that address range on that specific interface. It created a dynamic route to “educate himself” that the IP addresses from that range are potentially behind that interface.
This route is accessible via the WAN interface through which the router sends and receives packets.
In this step, the Default Route is created.
The route is created by clicking on the plus sign.
The routing table works from the smallest address range to the largest. This means that one packet
traveling to, e.g., 18.104.22.168, will first be checked in the smallest possible routing mask, and that is 192.168.30.254/24. Since that packet 22.214.171.124, does not belong to that address, the first next address to which the packet is sent is the referral, the widest possible address, which is 0.0.0.0/0
Then, the packet will be redirected from 0.0.0.0/0 to the address I specify in the routing table. Mikrotik will send all its packages to the Gateway located at 192.168.30.1/24. The configuration of the route is done by entering the DG’s IP address in the Gateway field.
As soon as I confirm by pressing apply or OK, I see a new route in the Routes list menu
I check with the ping command, and in the case, if the ping towards 126.96.36.199 goes through, I have established a connection to the Internet.
If I ping from the terminal, for example, www.google.com or any other address, that ping will not go through because Mikrotik cannot resolve that address at this time because DNS is not configured.
The ping to 188.8.131.52 goes through from the terminal and the ping tool. However, the ping on www.google.com does not go through because the DNS is not yet configured. Mikrotik does not know where to send the DNS request because it does not know where to look for its DNS server.
The DNS server’s IP address needs to be configured in the IP-DNS menu, and I will enter my local DNS IP address in the Server’s field address.
After registering the DNS server address, Mikrotik is now able to send a DNS request, and it is possible to resolve the address
After setting up DNS, it is necessary to upgrade the operating system. This is now possible because DNS can resolve the address from which the upgrade is downloaded. To upgrade, I need to go to the menu;
This is a sign that DNS is working. In my case, there are no new updates. However, after the router checks for a new update, the Download tab appears below the Check for updates tab. After downloading, the router goes to reboot, and after the operating system is booted into memory, Mikrotik is then running with the latest possible version of Router OS.
The next step is to set the correct time. Setting the time is essential because if some problems occur, I can later look in the log and see the exact time when something happened. Besides, the router can use DHCP to assign time settings to other devices for which it serves as a DHCP server. The NTP server is configured in the System – SNTP Client menu, and I need to enter the NTP server’s IP address. There are various NTP servers, but I opted for a server at 184.108.40.206
Then I go to System – Clock and manually set the time zone. I chose Luxembourg because I am located in Luxembourg.
The Mikrotik router can be configured to retrieve the IP address, DNS, and NTP from the operator via DHCP. This is most often the case in practice, especially in a SOHO environment. In order not to delete the already existing configuration, I will use the disable option. It is necessary to enter the IP menu, and in the Addresses submenu, it is necessary to mark the existing configuration and disable it by pressing the red x
It is also necessary to temporarily disable the existing route. This is done in the IP menu, the Routes submenu, and shutting down in the same way as the default address is turned off.
To assign an IP address to Mikrotik via a DHCP client, in the IP menu, I select the DHCP Client submenu; by clicking on the plus, I get a menu to choose an interface where the address will be retrieved. In my case, it is the 01-WAN interface.
There are two marked fields; Use Peer DNS and Use Peer NTP. This means that Mikrotik gets DNS and NTP settings from the DHCP Server.
I can use the Add Default Route option interestingly. Mikrotik itself generates a route if the Add Default The route is marked with yes. However, if an individual appears in the enterprise environment with his own router and connects it to the network, the DHCP server of that router will create chaos in the network. It
is possible to find out with Mikrotik if this is the case. If such a situation has potentially occurred, I configure Mikrotik to take DHCP settings as a client on the LAN interface, but I do not assign a Default route.
Mikrotik will only get an IP address and a subnet mask, proving that there really is an unknown DHCP server on the network, and I will be able to do further diagnostics.
After I have enabled Mikrotik to get an IP address as a client, I can check this in the address list. Unfortunately, it is the case that DG (Fritzbox on the local network) has already entered Mikrotik in its table at 192.168.30.254. Hence, it is not possible to see the difference compared to the manual configuration. However, the letter D is visible next to the new IP address, which means it is dynamically assigned.
These settings, where Mikrotik works as a DHCP client, include the basic WAN IP address setting. Due to the lab’s needs, I will turn off the dynamic settings and restore the original configuration of the router. After adjusting the NTP settings and testing the DHCP client function, I will turn off Mikrotik’s services that I currently do not need. By doing so, I want to close access to the router through the ports from which I will not log in anymore.
To do so, I select Services and the IP Service List in the IP menu and turn off the services I don’t need. IP – Services
The figure shows all the services through which I can access the router and configure it. I will shut down the API, API-SSL, FTP, and WWW services, as I will not connect to the router through these ports. By doing so, I want to restrict access to the router as much as possible.
The services are turned off by selecting them with a mouse and with a click the red x sign. They fade away after they are turned off, and the x sign is shown in the first column.
Services that have remained active can be further protected by assigning IP addresses from which they can be accessed.
For example, if I click on an SSH service, a window available appears, where I can enter the IP address (es) from which it is only possible to access that specific service.
I entered private IP addresses, which means that I can only connect from the private IP range via SSH. I repeated the same procedure for telnet and Winbox.
It is a good way to restrict these services to only be accessed from a private IP address range. Even if someone knows my username and password, he or she can’t access the router remotely, but only from the LAN from which Mikrotik is set to be accessible. In case I need to access a Mikrotik remotely, in the Available from the field, I add a public IP address/addresses from which access to the router is possible. In this way, I am quite protected from unauthorized access to the router, i.e., the routers that I manage.
As an additional layer of protection, it is possible in the System – Users menu to allow users to access Mikrotik only from certain designated IP addresses.
In this step, I will configure email notifications.
I will set up an email notification when someone tries to log in to the Mikrotik router with the wrong username or password. For the needs of the lab, I have created an email account
The router will use this email address to send a notification on my private email address that there was an attempt to log in to the Mikrotik router with incorrect credentials.
It is necessary to make an action, i.e., a “trigger” that will start sending the email. The action is created in the System menu and the Logging submenu.
Then I need to insert the entered address to which the reporting will come, and here I have listed my private email address
It is necessary to create a rule that calls the action of sending the email. In the Rules tab, I click on the plus, and a menu with various topics will appear. I will choose a topic called critical, and I will put the name of my router in the prefix. This is very practical if I have several routers to immediately know which router the notification is coming from. While in the dropdown menu Action, I will select a predefined descriptive name, which is TestEmail
I check if the rule and action work by opening a new Winbox and logging in with a password that was not previously set. For the needs of the lab, I entered 123456 in the password field.
I received an email notification that someone tried to log in to the Mikrotik router with the wrong password via Winbox. In the received email, I got the identity of the router as well as its MAC address.