= Setting up a MikroTik as default router Victor Toni https://github.com/vitoni // Settings: :toc: preamble :!toc-title: :toclevels: 5 ifndef::env-github[:icons: font] ifdef::env-github[] :status: :note-caption: :paperclip: :tip-caption: :bulb: endif::[]

Documentation for setting up MikroTik routers for use with Telekom / MagentaTV.

== Introduction

There are many good routers for consumer households. The decision to use a https://mikrotik.com[MikroTik] router, which you would be more likely to find in a network lab, was based on previous exposure and the intention to reduce the total number of devices. It could have been custom hardware with https://www.pfsense.org/[PFsense] or https://opnsense.org/[OPNsense] on top, but since the network will also have WiFi meshing in the future, the MikroTik router can act directly as a coordinator (for MikroTik APs) without the need for another device, and the solution is hopefully also more power-efficient than a dedicated mini-PC.

Custom routing solutions like MikroTik routers can be configured down to the smallest detail, but it is easy to get lost in these details, especially if the configuration is not done on a daily basis.

This documentation is mainly intended to serve me as a reference for the configuration steps carried out (and why they were necessary / useful), but perhaps it could be helpful for others as well.

== Prerequisites

Internet connection: Telekom with BNG and MagentaTV

Existing setup ** https://avm.de/produkte/fritzbox/fritzbox-4040/[AVM Fritz!Box 4040] as router ** https://www.zyxel.com/de/de/products/dsl-cpe/wireless-n-vdsl2-4-port-gateway-with-usb-vmg1312-b30a[Zyxel VMG1312-B30A] as external modem (VDSL2 and also taking care of VLAN 07 tagging) ** Network: 10.0.0.0/16 ** DHCP *** Static leases (and IP-addresses) for well-known hosts *** Dynamic IP-addresses for guests (range: 10.0.234.0/24)
New router: https://mikrotik.com/product/rb5009ug_s_in[RB5009UG+S+IN] ** will reuse the existing modem until fiber gets installed ** when fiber is available, the SFP port will carry the GPON SFP module *** Telekom sells the https://geschaeftskunden.telekom.de/internet-dsl/produkt/digitalisierungsbox-glasfasermodem-kaufen[Digitalisierungsbox Glasfasermodem] which is a https://hack-gpon.github.io/ont-zyxel-pmg3000-d20b/[Zyxel PMG3000-D20B]. This modem has a SC/APC socket, the wall box has a LC/APC socket. + (Some tutorials say one needs a ONT-Anschlusskennung, for me using the https://www.telekom.de/hilfe/festnetz-internet-tv/anschluss-verfuegbarkeit/anschlussvarianten/glasfaseranschluss/modem-id[modem ID] during configuration was just fine. ONT might be required for business accounts though.) *** Corning has https://www.amazon.de/dp/B09GRK3QG6[fiber cables in various lengths] for a moderate price (but they have only 2 mm white cables, the 3 mm ones are yellow).

UPDATE: Usage of the SFP proved to be flaky, issues seem to caused by the MikroTik side:

erroneous temperature readings of the SFP by MikroTik leading to the SFP being shut down
auto-negotiation not working (worked around by setting the sfp-sfpplus1 interface to auto-negotiation=no speed=1Gbps)
finally the https://mikrotik.com/product/rb5009ug_s_in[RB5009UG+S+IN] not recognizing the SFP after about 9 months (a https://mikrotik.com/product/hex_s[hEX S] had no issues with the SFP module and the fiber connection seemed to continue to work...)

The SFP has been replaced by the https://www.telekom.de/zuhause/geraete-und-zubehoer/wlan-und-router/glasfaser-modem-2[Glasfaser Modem 2] which seems to be more of a media converter than an actual modem. Works fine for now but now setup is back to 2 devices. As the included fibre cable is quite short, it got replace by https://www.amazon.de/dp/B08XMN6JPL[a longer fiber cable from InLine].

== PPPoE credentials

The regular Telekom-PPPoE user consists out of multiple parts derived from the contract data.

The full PPPoE username would be:

AAAAAAAAAAAATTTTTTTTTTT#[email protected]

with

A => Anschlusskennung
T => T-Online-Nummer
M => Mitbenutzernummer

(If the AAAAAAAAAAAATTTTTTTTTTT part is 24 characters long, the # character before the MMMM part can be omitted.)

== Default configuration of RB5009UG+S+IN

RouterOS (v7.14) comes with this link:scripts/mikrotik/default-configuration/script.rsc[default configuration].

The default configuration script can be queried with this command

[,RouterOS]

/system/default-configuration/script print

or to show all default configuration scripts:

[,RouterOS]

/system/default-configuration print

[discrete] === References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/Default+configurations[Default configurations]

== Setting up the basic network and connectivity

=== Remove WAN interfaces from bridge

The SFP interface might become the new WAN device when using fiber. As it is not used for the internal network it can be already removed.

[,RouterOS]

/interface bridge port remove [find interface=sfp-sfpplus1]

=== Setup using "Quick Set"

"Quick Set" helps with the initial setup, especially when the network address shall be changed.

|=== | Setting | Value | Comment

| | |

| Mode | [x] Router |

| | |

| Port a| eth1 |

| Address Acquisition a| PPPoE |

| PPPoE User a| [email protected]+ |

| PPPoE Password a| 12345678 |

| PPPoE Service Name a| Telekom | (optional)

| | |

| IP Address a| 10.0.0.1 |

| Netmask a| 255.255.0.0/16 |

| Bridge All LAN Ports | [ ] |

| DHCP Server | [x] |

| DHCP Server Range a| 10.0.234.1-10.0.234.254 |

| NAT | [x] | |===

[discrete] ==== References

MikroTik ** https://wiki.mikrotik.com/wiki/Manual:Quickset[Manual - Quickset]

=== Manual setup

==== Setup of DHCP and IP range

The network is already set up with 192.168.88.1/24. This snippet changes the respective addresses and ranges.

For consistency all these commands should be executed at once:

[,RouterOS]

/ip pool set [find name=default-dhcp] name=dhcp-LAN ranges=10.0.234.1-10.0.234.254

/ip dhcp-server set [find address-pool=default-dhcp] address-pool=default-LAN

/ip address set [find address=192.168.88.0/24]
address=10.0.0.0/16
network=10.0.0.0
interface=bridge

/ip dhcp-server network set [find address=192.168.88.0/24]
address=10.0.0.0/16
netmask=16
gateway=10.0.0.1
dns-server=10.0.0.1

/ip dns static set [find address=192.168.88.1]
address=10.0.0.1
name=router

[discrete] ===== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/IP+Pools[IP Pools] ** https://help.mikrotik.com/docs/display/ROS/IP+Addressing#IPAddressing-AddingIPAddress[IP Addressing - Adding IP Address] ** https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-Network[DHCP-Network] ** https://help.mikrotik.com/docs/display/ROS/DNS#DNS-DNSStatic[DNS Static]

==== Create VLAN tagged interface for PPPoE

Set up a VLAN interface for the PPPoE client. This is only required when the modem doesn't take care of tagging.

Depending on the modem, interface can be any of:

ether1 (external modem without VLAN tagging)
sfp-sfpplus1 (SFP modem without VLAN tagging)

[,RouterOS]

/interface vlan add interface=ether1 vlan-id=7 name=vlan07-telekom comment=Telekom

[discrete] ===== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/VLAN#VLAN-Layer3VLANexamples[VLAN - Layer3 VLAN examples]

==== Configure PPPoE client

Depending on the modem configuration interface can be any of:

vlan07 (modem has no VLAN tagging)
ether1 (modem does VLAN tagging)
sfp-sfpplus1 (SFP modem does VLAN tagging)

As default the PPPoE client is disabled to prevent it from starting before configuration is complete.

[,RouterOS]

/interface pppoe-client add interface=vlan07-telekom add-default-route=yes
use-peer-dns=yes
name=pppoe-out1
user="AAAAAAAAAAAATTTTTTTTTTT#[email protected]"
password="12345678"
disabled=yes
comment=Telekom

[discrete] ===== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration#FirstTimeConfiguration-PPPoEConnection[First Time Configuration - PPPoE Connection]

==== Add PPPoE interface to WAN interface list for firewall

In addition to specific interfaces the firewall uses more generic interface lists. The PPPoE client's interface must be added to the WAN interface list to make it work.

[,RouterOS]

/interface list member add list=WAN interface=pppoe-out1 comment=Telekom

==== Activate PPPoE client

Now that Internet settings are all configured the PPPoE can be activated.

[,RouterOS]

/interface pppoe-client set [find name=pppoe-out1] disabled=no

== Extended network configuration

=== Multicast / IPTV configuration

==== Set up IGMP proxy

[,RouterOS]

/routing igmp-proxy interface add interface=pppoe-out1 alternative-subnets=87.141.215.251/32 upstream=yes comment=MagentaTV add interface=bridge comment=MagentaTV

[discrete] ===== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/IGMP+Proxy#IGMPProxy-Examples[IGMP Proxy - Examples]

==== Add IP range of multicast networks

[,RouterOS]

/ip firewall address-list add address=224.0.0.0/4 list=Multicast comment=MagentaTV add address=232.0.0.0/16 list=Multicast comment=MagentaTV add address=239.35.0.0/16 list=Multicast comment=MagentaTV

==== Add firewall rules to allow traffic from multicast networks

[,RouterOS]

/ip firewall filter add chain=input action=accept dst-address-list=Multicast place-before=2 comment=MagentaTV add chain=forward action=accept dst-address-list=Multicast place-before=2 comment=MagentaTV

==== Activate IGMP snooping on bridge

[,RouterOS]

/interface bridge set [find where name=bridge and comment=defConf]
igmp-snooping=yes igmp-version=3 mld-version=2 multicast-router=permanent comment=MagentaTV

[discrete] ===== References

MikroTik ** https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403#BridgeIGMP/MLDsnooping-BasicIGMPsnoopingconfiguration[Basic IGMP snooping configuration]

[discrete] ==== Sources

https://simon.taddiken.net/magenta-mikrotik/[Telekom Magenta TV/Entertain mit Mikrotik Router und VLANs]
https://administrator.de/tutorial/mikrotik-telekom-magenta-tv-iptv-tutorial-667348.html[Mikrotik - Telekom Magenta TV - IPTV - Tutorial]

=== Extended DHCP configuration

==== Add static DHCP leases

[,RouterOS]

/ip dhcp-server lease add client-id=1:22:33:44:55:66:77 mac-address=22:33:44:55:66:77 address=10.0.25.2 comment="Notebook-1" add client-id=1:12:23:34:45:56:67 mac-address=12:23:34:45:56:67 address=10.0.25.11 comment="Android-5"

[NOTE]

The `client-id` is required, otherwise the router seems to not persist the entry. The `client-id` was calculated by using the prefix `1:` and the MAC of the device.

[discrete] ===== References

MikroTik ** https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Leases[DHCP-Server / Leases] ** https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-Leases[DHCP / Leases]

==== Add static DNS record for known hosts

[,RouterOS]

/ip dns static add name="Notebook-1" address=10.0.25.2 add name="Android-5" address=10.0.25.11

Or with the lan domain configured:

[,RouterOS]

/ip dns static add name="Notebook-1.lan" address=10.0.25.2 add name="Android-5.lan" address=10.0.25.11

[discrete] ===== References

MikroTik ** https://wiki.mikrotik.com/wiki/Setting_static_DNS_record_for_each_DHCP_lease[Setting static DNS record for each DHCP lease]

==== Using existing data from Fritz!Box

Fritz!OS (tested with v7.29) provides an API to query data from the router.

This data can be reused to configure the MikroTik router.

The xref:Fritz2Tik.adoc[Fritz2Tik] documentation describes the details and steps needed to transform the data accordingly.

==== Add default search domain (list)

DHCP option 119 can be used to provide a default search domain (list) to clients.

The domain names used are based on DNS labels (https://www.ietf.org/rfc/rfc1035.html#section-4.1.4[RFC 1035 - 4.1.4]) which is not very convenient if one has to derive them on its own... But there is a nice online tool helping with that: https://jjjordan.github.io/dhcp119/[DHCP Option 119 Encoder]

Search domain of: lan

[,RouterOS]

/ip dhcp-server option add code=119 name=domain-search-list value="0x03'lan'0x00"

or e.g. search domain list of: lan;foo (don't use box as it's a https://newgtlds.icann.org/en/program-status/delegated-strings[potential TLD since 2016-11-11]):

[,RouterOS]

/ip dhcp-server option add code=119 name=domain-search-list value="0x03'lan'0x0003'foo'0x00"

Use the domain search option as part of an option set:

[,RouterOS]

/ip dhcp-server option sets add name=domain-search-set options=domain-search-list

Configure the DHCP server to use the given option set:

[,RouterOS]

/ip dhcp-server set [find name=dhcp-LAN] dhcp-option-set=domain-search-set

[discrete] ===== References

MikroTik ** https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#DHCP_Options[DHCP Server - Options] ** https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#DHCP_Option_Sets[DHCP Server - Option Sets]
IANA ** http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml[DHCP Parameters] ** https://newgtlds.icann.org/en/program-status/delegated-strings[Delegated Strings | ICANN New gTLDs] ** https://www.iana.org/domains/root/db/box.html[Delegation Record for .BOX]
Helper ** https://jjjordan.github.io/dhcp119/[DHCP Option 119 Encoder]

=== Restricting time / bandwidth

RouterOS supports setting up online time / bandwidth restrictions for clients. This functionality is called Kid Control.

[discrete] ==== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/Kid+Control[Kid Control]

==== Creating profiles

[,RouterOS]

/ip kid-control add name=Time
mon=0s-1h,16h-1d
tue=0s-1h,16h-1d
wed=0s-1h,16h-1d
thu=0s-1h,16h-1d
fri=0s-1h,16h-1d
sat=0s-1h,12h-1d
sun=0s-1h,12h-1d add name=Time-Bandwidth
mon=0s-1h,16h-1d
tue=0s-1h,16h-1d
wed=0s-1h,16h-1d
thu=0s-1h,16h-1d
fri=0s-1h,16h-1d
sat=0s-1h,12h-1d
sun=0s-1h,12h-1d
rate-limit=70M

[NOTE]

For times up to midnight one has to use:

on the CLI: 1d or 24h
on web UI: 1d 00:00:00

For times starting at `00:00:00` one has to use `0s` on the CLI. + Even if the UI suggests it supports seconds (because they are shown), it does not.

==== Assign devices to profiles

[,RouterOS]

/ip kid-control device add mac-address=12:23:34:45:56:67 name=Android-5 user=Time add mac-address=22:33:44:55:66:77 name=Notebook-1 user=Time-Bandwidth

=== Configuration of custom DNS server

For various reasons one might want to use custom server for DNS resolution instead the ones provided by the ISP. Reasons could be eg.:

content filtering (malicious sites, spam domains, etc.)
speed
some domain names not resolving properly
cached and outdated ones being resolved
and more...

A non-exhaustive list of some better known public DNS provider:

https://1.1.1.1/[Cloudflare DNS]
https://developers.google.com/speed/public-dns/[Google DNS]
https://quad9.net/[Quad9]

Example for setup using non-filtering Cloudflare DNS server:

[,RouterOS]

/ip dns set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

Configure the PPPoE client to ignore the DNS servers provided by the ISP:

[,RouterOS]

/interface pppoe-client set [find name=pppoe-telekom] use-peer-dns=no

==== Redirect all DNS requests to router

One can even prevent users to use their own DNS settings and force them to use the router for look ups by redirecting all request to the router:

[,RouterOS]

/ip firewall nat print add action=dst-nat chain=dstnat in-interface-list="LAN"
src-address=!10.0.0.1 dst-port=53 to-addresses=10.0.0.1
protocol=udp comment="DNS redirect (UDP)" add action=dst-nat chain=dstnat in-interface-list="LAN"
src-address=!10.0.0.1 to-addresses=10.0.0.1 dst-port=53
protocol=tcp comment="DNS redirect (TCP)"

[discrete] ==== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/DNS#DNS-DNSconfiguration[DNS Configuration] ** https://help.mikrotik.com/docs/display/ROS/PPPoE#PPPoE-Properties[PPPoE Client Properties] ** https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT[IP/Firewall/NAT]

=== Setup DynDNS (DDNS)

RouterOS has a builtin DDNS client using its own service but allows also custom scripts to be used

==== Builtin DDNS

The builtin client is easy to use but does not allow custom names. Setup is easy but the name is based on the serial number of the router, so the DNS name will definitely change in case of a replacement.

.https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Properties[Cloud - DDNS Properties: dns-name] [,txt]

Name consists of 12 character serial number appended by .sn.mynetname.net.

Activate builtin DDNS client:

[,RouterOS]

/ip cloud set ddns-enabled=yes

[discrete] ===== References

MikroTik ** https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#DDNS[Cloud - DDNS] ** https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Properties[Cloud - DDNS Properties]

==== Custom DDNS scripts

Another option is to use a custom script with one of the many available DDNS provider.

===== Free DDNS provider

Having checked some of the free DDNS provider, these are my favorites:

https://freedns.afraid.org/[FreeDNS] + While most services require username / password AND the new IP address to perform the update FreeDNS has a https://freedns.afraid.org/dynamic/v2/tips/[nice feature], where one just performs a HTTP GET on a URL such as https://sync.afraid.org/u/RANDOM_TOKEN/ to update the related subdomain. + FreeDNS detects the IP by it self. Really simple!
https://www.duckdns.org/[Duck DNS] + This DDNS has a https://www.duckdns.org/install.jsp?tab=fritzbox[feature] very similar to FreeDNS. Just performing a HTTP GET on http://www.duckdns.org/update?domains=YOUR_SUBDOMAIN&token=YOUR_TOKEN&ip= triggers the update. + If the value for ip is omitted, DuckDNS detects the IP itself and by that makes the calling script quite simple.

===== The custom script

When one installs a script on the router, one has to assign a name to the script. For the PPP connection this script can be configured to be called on-up (when the connection has been established).

When the PPP connection is established, the link:scripts/mikrotik/DDNS.rsc[custom script] gets called and does a few things:

It uses the name of the script as service name for logging purposes.
Before it does any updates, it tries to validate the connection is really working by pinging a remote party.
If the connection has been validated, the sync URL is called.

====== Installing the script

The link:scripts/mikrotik/DDNS.rsc[script] can be either created via the the WebFig (System / Scripts / Add New).

.Example for FreeDNS |=== | Setting | Value

| Comment (used to store the sync URL) a| http://sync.afraid.org/u/your_token/

| Name a| FreeDNS

| Don't Require Permissions | [x]

| Policy | [x] read + [x] write + [x] policy + [x] test

| Script | content of link:scripts/mikrotik/DDNS.rsc[DDNS.rsc]

|===

or created via shell:

[,RouterOS]

/system script add dont-require-permissions=no policy=read,write,policy,test
name=FreeDNS comment="http://sync.afraid.org/u/your_token/"
source="#!rsc
\n#
\n# Requires RouterOS
\n#
\n# MikroTik script to update the DNS entry when Internet connection has b
een
\n# established via PPP.
\n#
\n# Assign this script in the PPP profile as "on-up" script and assign t
he
\n# profile to the PPPoE connection.
\n#
\n# Permissions required:
\n# - read
\n# - write
\n# - policy
\n# - test (to execute ping)
\n#
\n
\n:local notSetYet "Comment NOT set up to hold sync URL yet";
\n
\n# get name of script
\n:local serviceName [:jobname]; # eg. "FreeDNS"
\n
\n# retrieve value of sync URL from comment of this script
\n:local syncURL [/system/script { get [find name="$serviceName"] comme
nt }];
\n
\n# abort if the URL hasn't been set up by user yet
\n:if (!("$syncURL"~"^http")) do={
\n # set default value if no value has been set for comment yet
\n :if ("$syncURL" = "") do= {
\n /system/script { set [find name="$serviceName"] comment="$n
otSetYet" };
\n }
\n
\n :log error "$serviceName: $notSetYet";
\n :error $notSetYet;
\n}
\n
\n{
\n :local maxDelay 10;
\n :local counter 0;
\n
\n # check if Internet is up, pinging the nameserver of Cloudflare in t
his case
\n :while ([:typeof ([:ping address=1.1.1.1 count=1 as-value]->"time"
)] = "nothing") do={
\n :set counter ($counter + 1);
\n
\n # if max delay has been exceeded: abort
\n :if ($counter > $maxDelay) do={
\n :local msg "Failed to detect Internet => no update";
\n
\n :log warning "$serviceName: $msg";
\n :error $msg;
\n } else={
\n # bit of delay between attempts
\n :delay 500ms;
\n }
\n }
\n}
\n
\n:do {
\n # call update endpoint and store response
\n :local result [/tool fetch url="$syncURL" as-value output=user]
\n :if ($result->"status" = "finished") do={
\n # add a new line as sentinel in case "data" has none
\n :local response ($result->"data" . "\n") ;
\n
\n # retrieve only the first line of $response
\n :local endOfFirstLine ([:find $response "\n"]);
\n :set response ([:pick $response 0 $endOfFirstLine]);
\n
\n :log info "$serviceName: $response";
\n :put $response;
\n }
\n} on-error={
\n :log warning "$serviceName: Failure while calling update endpoint
";
\n}
\n"

====== Update the sync URL

If the sync URL changes, the comment filed can be updated accordingly using either WebFig or the CLI.

.Update the sync URL via CLI [,RouterOS]

/system script set [find name=FreeDNS] comment="http://sync.afraid.org/u/your_new_token/"

====== Executing the script manually

The script allows also manual execution (independent of the current PPP state):

[,RouterOS]

/system script run FreeDNS

=== WireGuard setup

WireGuard requires the configuration of a dedicated interface and a dedicated network. In addition, each WireGuard peer must be manually assigned an IP address. (A peer can be a "Road Warrior" client or a remote location to which a secure connection is to be established). While manually assigning IP addresses works for a site-to-site configuration or a "Road Warrior" setup with a few clients, a different setup may be required for larger deployments.

[NOTE]

In this setup, port `13231` is used on the router side, but this value is arbitrary and can be replaced by another as long as it is the same in all configuration steps.

==== Set up WireGuard - on MikroTik

.Create WireGuard interface [,RouterOS]

/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1 comment="Digital Home"

(The created interface will automatically get a computed, random public key).

.Configure IP address / network for WireGuard interface [,RouterOS]

/ip address add address=172.17.2.1/24 network=172.17.2.0 interface=wireguard1
comment="Digital Home"

.Allow incoming WireGuard traffic to let peers connect [,RouterOS]

/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp
comment="Digital Home - allow WireGuard"

.Mark WireGuard interface as LAN to allow DNS lookup, etc. [,RouterOS]

/interface list member add interface=wireguard1 list=LAN comment="Digital Home"

(This could be more sophisticated if one uses more zones, etc.)

==== Public key - on MikroTik

Peers need to know the public key of the router as their WireGuard peer. The public key can be looked up in WebFig or retrieved via console:

.Get automatically created public key of WireGuard interface [,RouterOS]

:put [/interface wireguard get [find name=wireguard1] "public-key" ]

==== Configure peer - on respective device

This is the configuration of peer Digital nomad - 001:

.WireGuard tunnel [cols="a,a,a"] |=== | Setting | Value | Comment

| Name | Digital Home | Arbitrary, here the same name as on the router side for recognition.

| Address | 172.17.2.2/32 | Address from the wireguard1 network for this specific client.

| DNS server | 172.17.2.1 | Address of the router in the wireguard1 network.

|===

.Peer (data of the router) [cols="a,a,a"] |=== | Setting | Value | Comment

| Public key | <public_key_of_router> | Public key retrieved from router.

| Endpoint | your.dyndns.name.com:13231 | DNS name by which the router can be found and the listen-port configured for wireguard1.

| Allowed IPs | 0.0.0.0, ::/0 | Whitelist of destination IPs that are to be routed through this peer (in this case all traffic) and from which traffic is allowed. + Using e.g. "10.0.0.0/16" would only route to/from the home network, but one could NOT access the Internet via this peer.

|===

After setting up the WireGuard tunnel on a specific device, the public key of this device is required to make a final configuration on the router.

==== Add peer - on MikroTik

.Add peer with its individual public key to router setup [,RouterOS]

/interface wireguard peers add allowed-address=172.17.2.2/32 interface=wireguard1
public-key="public_key_of_001"
comment="Digital nomad - 001"

[discrete] ==== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-RoadWarriorWireGuardtunnel[RoadWarrior WireGuard tunnel]
WireGuard ** https://www.wireguard.com/#conceptual-overview[Conceptual Overview] ** https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8[man page of wg(8)]

=== Port forwarding

==== Loopback NAT / Hairpin NAT

Loopback NAT allows access of an internal service (forwarded port) by the external IP, e.g. when using a DynDNS name and a port as an external party would do. RouterOS does not have rules configured out of the box to support loopback NAT, but it's easy although a bit unusual to setup.

When using PPP there are basically two options:

. Update the IP of the configured IP interface. This would require some changes on PPP on-up script... . Use the DynDNS and let the router do the resolution of the name dynamically.

The following steps describe the last option.

.Add DynDNS name as "IP" (RouterOS will dynamically resolve the name to an IP) [,RouterOS]

/ip firewall address-list add address=your.dyndns.name.com list=WAN-IP

.Masquerade access from internal IPs to internal IPs [,RouterOS]

/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT"
dst-address=10.0.0.0/16
src-address=10.0.0.0/16
place-before=0

This rule has to be the first one as it has to work before any of the traffic might get rejected.

==== Actual port forwarding

Instead of using the WAN IP directly, we use the WAN-IP address list which resolves the WAN IP auto-magically.

.Example allowing access to internal Minecraft server [,RouterOS]

/ip firewall nat add action=dst-nat chain=dstnat comment="Minecraft TCP"
dst-address-list=WAN-IP dst-port=1337 protocol=tcp
to-addresses=10.0.0.65 to-ports=25565 add action=dst-nat chain=dstnat comment="Minecraft UDP"
dst-address-list=WAN-IP dst-port=1337 protocol=udp
to-addresses=10.0.0.65 to-ports=25565

The dst-port is the external port where the services is made publicly available whereas to-ports is the port where the service is available on the internal host.

[discrete] ==== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT[Hairpin NAT] ** https://forum.mikrotik.com/viewtopic.php?t=162287[Hairpin NAT: Is there a simple solution?]

[discrete] ==== Sources

https://www.steveocee.co.uk/mikrotik/hairpin-nat/[Hairpin NAT - Steveocee]

=== Add access to modem

The modem resides behind the router and has its own address / network. It's possible to access the modem with a few configuration adjustments.

==== External modem

The modem (either VDSL or fiber) is attached to ether1.

Add NAT rule to the firewall for the modem interface:

[,RouterOS]

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
comment="Modem ether1"

===== Configuration for Zyxel VMG1312-B30A

The modem has the address 192.168.1.1/24.

Assign ether1 a dedicated IP in the network range of the modem to allow routing:

[,RouterOS]

/ip address add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
comment="Zyxel VMG1312-B30A"

Assign the modem a name (so that one does not have to remember its network/IP):

[,RouterOS]

/ip dns static add address=192.168.1.1 name=modem.lan comment="Zyxel VMG1312-B30A"

===== Configuration for Glasfaser Modem 2

The modem has the address 192.168.100.1/24.

Assign ether1 a dedicated IP in the network range of the modem to allow routing:

[,RouterOS]

/ip address add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
comment="Glasfaser Modem 2"

Assign the modem a name (so that one does not have to remember its network/IP):

[,RouterOS]

/ip dns static add address=192.168.100.1 name=gmodem2.lan comment="Glasfaser Modem 2"

==== Internal SFP modem

The modem is attached to sfp-sfpplus1.

Add NAT rule to the firewall for the modem interface:

[,RouterOS]

/ip firewall nat add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
comment="Modem SFP+"

===== Configuration for Digitalisierungsbox Glasfasermodem

The modem has the address 10.10.1.1/24.

Assign sfp-sfpplus1 a dedicated IP in the network range of the modem to allow routing:

[,RouterOS]

/ip address add address=10.10.1.2/24 interface=sfp-sfpplus1 network=10.10.1.0
comment="Digitalisierungsbox Glasfasermodem"

Assign the modem a name (so that one does not have to remember its network/IP):

[,RouterOS]

/ip dns static add address=sfp-sfpplus1 name=fiber-modem.lan
comment="Digitalisierungsbox Glasfasermodem"

== Activate Internet detection

Applying this setting will make RouterOS try to detect the "Internet".

It's activated mostly to allow the mobile app to show some nice graphs about bandwidth usage...

As this feature might mix up interface lists (and by that firewall settings), it is safer to create interface lists solely for the purpose of Internet detection.

[,RouterOS]

/interface list add name=di-where-detect add name=di-detected-lan add name=di-detected-wan add name=di-detected-internet

/interface detect-internet set detect-interface-list=di-where-detect
lan-interface-list=di-detected-lan
wan-interface-list=di-detected-wan
internet-interface-list=di-detected-internet

/interface list member add interface=pppoe-out1 list=di-where-detect

[discrete] === References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/Detect+Internet[Detect Internet] ** https://forum.mikrotik.com/viewtopic.php?t=187814#p946990[What is Detect Internet for?]

== Configure NTP client

[,RouterOS]

/system ntp client set enabled=yes /system ntp client servers add address=europe.pool.ntp.org

[discrete] === References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/NTP#NTP-NTPClientproperties:[RouterOS version 7 NTP Client properties]

== Configure timezone (optional)

Per default auto-detection of the time zone is enabled. One can still specify the timezone manually.

[,RouterOS]

/system clock set time-zone-name=Europe/Berlin

[discrete] === References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/Clock[Clock]

== Services

=== Create & add SSL certificate for web-ssl

To start web-ssl one needs to create a certificate which can't be done solely on the MikroTik itself.

[discrete] ==== Sources

https://cyberjunky.nl/create-self-sign-cert-for-mikrotik/[Create a Self-Signed Certificate on MikroTik]

==== Step 1 - Create certificate request - MikroTik

[,RouterOS]

/certificate add name=SSL common-name=SSL key-size=2048 create-certificate-request template=SSL key-passphrase=

==== Step 2 - Create self-signed certificate - System with OpenSSL installed

Copy the files to a system with OpenSSL.

[,shell]

openssl rsa -in certificate-request_key.pem -text > certificate-request2.pem openssl x509 -req -days 9999 -in certificate-request.pem -signkey certificate-request2.pem -out mikrotik_ssl.crt

Upload the created files to the MikroTik.

==== Step 3 - Configure certificate - MikroTik

Configure the imported file as certificate.

[,RouterOS]

/certificate import file-name=mikrotik_ssl.crt

.Output [,RouterOS]

passphrase: ****** certificates-imported: 1 private-keys-imported: 0 files-imported: 0 decryption-failures: 0 keys-with-no-certificate: 0

==== Step 4 - Configure key - MikroTik

Configure the imported key file.

[,RouterOS]

/certificate import file-name=certificate-request2.pem

.Output: [,RouterOS]

passphrase: ***** certificates-imported: 0 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0

==== Step 5 - Validate certificate - MikroTik

[,RouterOS]

/certificate print

.Output: [,RouterOS]

Flags: K - PRIVATE-KEY; T - TRUSTED Columns: NAME, COMMON-NAME, FINGERPRINT

NAME COMMON-NAME FINGERPRINT

0 SSL SSL abc... 1 KT mikrotik_ssl.crt_0 SSL efg...

==== Step 6 - Configure and enable web-ssl - MikroTik

Configure web-ssl to use the certificate and enable the service:

[,RouterOS]

/ip service set [find name=www-ssl] certificate=mikrotik_ssl.crt_0 disabled=no

[discrete] ==== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/Certificates[Certificates]

=== Disable unused services

Keep ssh, www and www-ssl but disable service not used.

[,RouterOS]

/ip service set api disabled=yes set api-ssl disabled=yes set ftp disabled=yes set telnet disabled=yes

== DNS Caveats

When switching from VDSL to fiber it might seem that the connection does not work properly. The reason could be actually local DNS caching, here www.heise.de is resolved to ip.block.dt.de:

[,sh]

$ ping www.heise.de PING ip.block.dt.de (46.29.100.42): 56 data bytes 64 bytes from 46.29.100.42: icmp_seq=0 ttl=52 time=29.764 ms 64 bytes from 46.29.100.42: icmp_seq=1 ttl=52 time=29.047 ms 64 bytes from 46.29.100.42: icmp_seq=2 ttl=52 time=29.401 ms ...

One can either reboot or flush the DNS cache:

=== Flushing MikroTik DNS cache

[,RouterOS]

/ip dns cache flush

[discrete] ==== References

MikroTik ** https://help.mikrotik.com/docs/display/ROS/DNS#DNS-DNSCache[DNS Cache]

=== Flushing Linux DNS cache

[,bash]

sudo systemd-resolve --flush-caches sudo resolvectl flush-caches

or when DNS resolution is using dnsmasq

[,bash]

sudo killall -HUP dnsmasq

=== Flushing MacOS DNS cache

[,zsh]

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

=== Flushing Windows DNS cache

mikrotik-router-setup mikrotik-router-setup copied to clipboard

Metadata

[,RouterOS]

/system/default-configuration/script print

[,RouterOS]

/system/default-configuration print

[,RouterOS]

/interface bridge port remove [find interface=sfp-sfpplus1]

[,RouterOS]

/ip dns static set [find address=192.168.88.1] address=10.0.0.1 name=router

[,RouterOS]

/interface vlan add interface=ether1 vlan-id=7 name=vlan07-telekom comment=Telekom

[,RouterOS]

/interface pppoe-client add interface=vlan07-telekom add-default-route=yes use-peer-dns=yes name=pppoe-out1 user="AAAAAAAAAAAATTTTTTTTTTT#[email protected]" password="12345678" disabled=yes comment=Telekom

[,RouterOS]

/interface list member add list=WAN interface=pppoe-out1 comment=Telekom

[,RouterOS]

/interface pppoe-client set [find name=pppoe-out1] disabled=no

[,RouterOS]

/routing igmp-proxy interface add interface=pppoe-out1 alternative-subnets=87.141.215.251/32 upstream=yes comment=MagentaTV add interface=bridge comment=MagentaTV

[,RouterOS]

/ip firewall address-list add address=224.0.0.0/4 list=Multicast comment=MagentaTV add address=232.0.0.0/16 list=Multicast comment=MagentaTV add address=239.35.0.0/16 list=Multicast comment=MagentaTV

[,RouterOS]

/ip firewall filter add chain=input action=accept dst-address-list=Multicast place-before=2 comment=MagentaTV add chain=forward action=accept dst-address-list=Multicast place-before=2 comment=MagentaTV

[,RouterOS]

/interface bridge set [find where name=bridge and comment=defConf] igmp-snooping=yes igmp-version=3 mld-version=2 multicast-router=permanent comment=MagentaTV

[,RouterOS]

/ip dhcp-server lease add client-id=1:22:33:44:55:66:77 mac-address=22:33:44:55:66:77 address=10.0.25.2 comment="Notebook-1" add client-id=1:12:23:34:45:56:67 mac-address=12:23:34:45:56:67 address=10.0.25.11 comment="Android-5"

[NOTE]

The client-id is required, otherwise the router seems to not persist the entry. The client-id was calculated by using the prefix 1: and the MAC of the device.

[,RouterOS]

/ip dns static add name="Notebook-1" address=10.0.25.2 add name="Android-5" address=10.0.25.11

[,RouterOS]

/ip dns static add name="Notebook-1.lan" address=10.0.25.2 add name="Android-5.lan" address=10.0.25.11

[,RouterOS]

/ip dhcp-server option add code=119 name=domain-search-list value="0x03'lan'0x00"

[,RouterOS]

/ip dhcp-server option add code=119 name=domain-search-list value="0x03'lan'0x0003'foo'0x00"

[,RouterOS]

/ip dhcp-server option sets add name=domain-search-set options=domain-search-list

[,RouterOS]

/ip dhcp-server set [find name=dhcp-LAN] dhcp-option-set=domain-search-set

[,RouterOS]

[NOTE]

For times starting at 00:00:00 one has to use 0s on the CLI. + Even if the UI suggests it supports seconds (because they are shown), it does not.

[,RouterOS]

/ip kid-control device add mac-address=12:23:34:45:56:67 name=Android-5 user=Time add mac-address=22:33:44:55:66:77 name=Notebook-1 user=Time-Bandwidth

[,RouterOS]

/ip dns set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

[,RouterOS]

/interface pppoe-client set [find name=pppoe-telekom] use-peer-dns=no

[,RouterOS]

.https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Properties[Cloud - DDNS Properties: dns-name] [,txt]

Name consists of 12 character serial number appended by .sn.mynetname.net.

[,RouterOS]

/ip cloud set ddns-enabled=yes

[,RouterOS]

.Update the sync URL via CLI [,RouterOS]

/system script set [find name=FreeDNS] comment="http://sync.afraid.org/u/your_new_token/"

[,RouterOS]

/system script run FreeDNS

[NOTE]

In this setup, port 13231 is used on the router side, but this value is arbitrary and can be replaced by another as long as it is the same in all configuration steps.

.Create WireGuard interface [,RouterOS]

/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1 comment="Digital Home"

.Configure IP address / network for WireGuard interface [,RouterOS]

/ip address add address=172.17.2.1/24 network=172.17.2.0 interface=wireguard1 comment="Digital Home"

.Allow incoming WireGuard traffic to let peers connect [,RouterOS]

/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp comment="Digital Home - allow WireGuard"

.Mark WireGuard interface as LAN to allow DNS lookup, etc. [,RouterOS]

/interface list member add interface=wireguard1 list=LAN comment="Digital Home"

.Get automatically created public key of WireGuard interface [,RouterOS]

:put [/interface wireguard get [find name=wireguard1] "public-key" ]

.Add peer with its individual public key to router setup [,RouterOS]

/interface wireguard peers add allowed-address=172.17.2.2/32 interface=wireguard1 public-key="public_key_of_001" comment="Digital nomad - 001"

.Add DynDNS name as "IP" (RouterOS will dynamically resolve the name to an IP) [,RouterOS]

/ip firewall address-list add address=your.dyndns.name.com list=WAN-IP

.Masquerade access from internal IPs to internal IPs [,RouterOS]

/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=10.0.0.0/16 src-address=10.0.0.0/16 place-before=0

.Example allowing access to internal Minecraft server [,RouterOS]

mikrotik-router-setup
mikrotik-router-setup copied to clipboard

/ip dns static set [find address=192.168.88.1]
address=10.0.0.1
name=router

/interface pppoe-client add interface=vlan07-telekom add-default-route=yes
use-peer-dns=yes
name=pppoe-out1
user="AAAAAAAAAAAATTTTTTTTTTT#[email protected]"
password="12345678"
disabled=yes
comment=Telekom

/interface bridge set [find where name=bridge and comment=defConf]
igmp-snooping=yes igmp-version=3 mld-version=2 multicast-router=permanent comment=MagentaTV

The `client-id` is required, otherwise the router seems to not persist the entry. The `client-id` was calculated by using the prefix `1:` and the MAC of the device.

For times starting at `00:00:00` one has to use `0s` on the CLI. + Even if the UI suggests it supports seconds (because they are shown), it does not.

In this setup, port `13231` is used on the router side, but this value is arbitrary and can be replaced by another as long as it is the same in all configuration steps.

/ip address add address=172.17.2.1/24 network=172.17.2.0 interface=wireguard1
comment="Digital Home"

/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp
comment="Digital Home - allow WireGuard"

/interface wireguard peers add allowed-address=172.17.2.2/32 interface=wireguard1
public-key="public_key_of_001"
comment="Digital nomad - 001"

/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT"
dst-address=10.0.0.0/16
src-address=10.0.0.0/16
place-before=0

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
comment="Modem ether1"

/ip address add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
comment="Zyxel VMG1312-B30A"

/ip address add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
comment="Glasfaser Modem 2"

/ip firewall nat add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
comment="Modem SFP+"

/ip address add address=10.10.1.2/24 interface=sfp-sfpplus1 network=10.10.1.0
comment="Digitalisierungsbox Glasfasermodem"

/ip dns static add address=sfp-sfpplus1 name=fiber-modem.lan
comment="Digitalisierungsbox Glasfasermodem"