WIP

Merge with mikrotik.md

https://help.mikrotik.com/docs/

Inital config of a Mikrotik firewall

Connect a cable to the LAN interfaces

sudo nmap -sm 10.0.5.0/24

Configure the computer interface (idea)

sudo ip addr add 192.168.88.234 dev enp3s0:0

If you connect it will give you an IP address

Firewall rules

sudo nft add rule arp filter INPUT iifname "enp3s0" ether saddr { 00:00:00:00:00:00 \} accept

Add new users. Wiki

/user add name yu group full
/user add address

name - (required) User name. Must start with an alphanumeric character and contain alphanumeric characters, "\*", "\_", ".", "@".
group - (required) Name of the group the user belongs to. The system default groups are 'full', 'write', 'read', and 'ppp'. See below on how to manage user groups.
password - User password. If not specified, it is left blank (hit 'Enter' when logging in). It conforms to standard Unix characteristics of passwords. Can contain letters, digits, "\*" and "\_"
baud-rate - Connection rate limit for PPPoE
caller-id - For PPTP it IP address of the client, for PPPoE it is MAC address of the client
max-session-time - (Only for PPP connections) Maximum session time user can have when logged in
only-one - (yes / no) (Only for PPP connections) If 'yes' user can have only one session at a time
address - Ip address form which the user is allowed to log in. When logging in using PPP, if the remote address is specified in PPP interface settings then this address should match the specified address in order to enable client to log in. Can be in the form address/mask, where 'mask' is the number of bits in the subnet mask.
netmask - Network mask of addresses assigned to the user

An outdated manual has more information than the Wiki

Configure SSH access

Create a pair of keys (optional). Does not support ed25519.

ssh-keygen -C "Yuri Alek" -t rsa -b 4096

Upload your keys to the router.

Import your keys for your user.

/user ssh-keys import user=yu public-key-file=id-rsa.pub

SSH settings.

/ip ssh set always-allow-password-login=no allow-none-crypto=no strong-crypto=yes

Regenerate the SSH host key.

/ip ssh regenerate-host-key

Logs.

/log print detail where topics ~ "ssh"

/user ssh-keys import public-key-file=mikrotik.pub
/ip ssh set always-allow-password-login=no allow-none-crypto=no strong-crypto=yes
// This will change the port and may render the router inaccessible. Change the firewall rules first.
/ip service set ssh port=55643

Update

/system package update check-for-updates
/system package update download ## Will ONLY download the new image
/system package update install ## Will reboot the router

Change the name

/system identity set name=mikrotik

Hardening

Disabling unused interfaces

List interfaces

/interface print

Disable interfaces

/interface set 3,4 disabled=yes

Disabling unused services

List services

/ip service print

Disable services

/ip service disable [find name=telnet]
/ip service disable [find name=ftp]
#/ip service disable [find name=www]
/ip service disable [find name=www-ssl]
/ip service disable [find name=api]
/ip service disable [find name=api-ssl]
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip socks set enabled=no

Disable MAC access

/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

User accounts

Admin account

/user set 0 password=mygreatpassword
/user set 0 name=tikadmin comment="Default account - BACKUP ONLY"

Add a user account

/user add name=yu password="some secure password" group=full comment="Some nice comment"

Neighbor Discovery

/ip neighbor discovery set discover-interface-list=none
/ip neighbor discovery-settings set discover-interface-list=none

## These don't work
/ip neighbor discovery settings set default=no default-for-dynamic=no
/ip neighbor discovery set [find] discover=no
/ipv6 nd set [find] disabled=yes

Reverse Path Filtering

/ip settings set rp-filter=strict

Banner

/system note set show-at-login=yes
/system note set note="Authorized administrators only. Access to this device is monitored."

NTP Clock Synchronization

/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

Firewall

Wifi

/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto mode=ap-bridge ssid=ONO53FA wireless-protocol=802.11
/interface wireless access-list
/interface wireless security-profiles

Acces from the MikroTik App

/ip firewall filter add action=accept chain=input comment="Allow phone" connection-state=new dst-port=8291 in-interface=bridge protocol=tcp src-mac-address=00:00:00:00:00:00

Other

Check the number of established connections

/ip firewall connection print count where tcp-state=established

Links

• Manitonetworks's MikroTik router hardening
• https://wiki.mikrotik.com/wiki/Manual:System/Log#Rsyslog
• https://github.com/nshttpd/mikrotik-exporter