Comprei um Mikrotik e Agora?

Prática de como conectar seu Mikrotik a internet em três cenários diferentes (ip dinâmico privado, pppoe e ip fixo público).

Cenário 1 (ip dinâmico privado)

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan

/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2-lan lease-time=3d10m name=dhcp1

/ip address
add address=192.168.100.1/24 interface=ether2-lan network=192.168.100.0

/ip dhcp-client
add interface=ether1-wan

/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan

Cenário 2 (pppoe)

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-vivo \
    service-name=Vivo user=cliente@cliente

/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2-lan lease-time=3d10m name=dhcp1

/ip address
add address=192.168.100.1/24 interface=ether2-lan network=192.168.100.0

/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-vivo

Cenário 3 (ip fixo público)

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2-lan lease-time=3d10m name=dhcp1

/ip address
add address=192.168.100.1/24 interface=ether2-lan network=192.168.100.0
add address=191.175.30.2/30 interface=ether1-wan network=191.175.30.0

/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=191.175.30.1 routing-table=main \
    suppress-hw-offload=no
twitterlinkedin

Alta Disponibilidade Utilizando VRRP no Mikrotik

Prática de configuração de Alta Disponibilidade (HA) com Mikrotik utilizando VRRP.

R1-MASTER

/interface ethernet
set [ find default-name=ether4 ] name=ether1-oper-1
set [ find default-name=ether1 ] name=ether2-oper-2
set [ find default-name=ether2 ] name=ether3-lan
set [ find default-name=ether3 ] name=ether4-ger

/interface vrrp
add interface=ether3-lan name=vrrp1 on-backup=\
    "/ip address set [find comment=\"IP-OPERADORA\"] disable=yes" on-master=\
    "/ip address set [find comment=\"IP-OPERADORA\"] disable=no" priority=254 \
    vrid=10

/interface list
add name=WAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface list member
add interface=ether1-oper-1 list=WAN
add interface=ether2-oper-2 list=WAN

/ip address
add address=191.189.1.2/30 comment=IP-OPERADORA interface=ether1-oper-1 \
    network=191.189.1.0
add address=186.151.10.2/30 comment=IP-OPERADORA interface=ether2-oper-2 \
    network=186.151.10.0
add address=192.168.100.2/24 interface=ether3-lan network=192.168.100.0
add address=192.168.100.1 interface=vrrp1 network=192.168.100.1

/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=ether4-ger use-peer-dns=no use-peer-ntp=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip route
add check-gateway=ping comment=ROTA-DEFAULT-OPERADORA-1 distance=1 gateway=\
    191.189.1.1
add check-gateway=ping comment=ROTA-DEFAULT-OPERADORA-2 distance=2 gateway=\
    186.151.10.1
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.1.1
add comment=HOST-MONITORADO-OPERADORA-2 distance=1 dst-address=\
    208.67.220.220/32 gateway=186.151.10.1
add comment=HOST-MONITORADO-OPERADORA-1 distance=1 dst-address=\
    208.67.222.222/32 gateway=191.189.1.1

/system identity
set name=R1-MASTER

/tool netwatch
add down-script=\
    "/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-1\"] disable=yes" \
    host=208.67.222.222 interval=15s up-script=\
    "/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-1\"] disable=no"
add down-script=\
    "/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-2\"] disable=yes" \
    host=208.67.220.220 interval=15s up-script=\
    "/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-2\"] disable=no"
R2-BACKUP

/interface ethernet
set [ find default-name=ether4 ] name=ether1-oper-2
set [ find default-name=ether1 ] name=ether2-oper-1
set [ find default-name=ether2 ] name=ether3-lan
set [ find default-name=ether3 ] name=ether4-ger

/interface vrrp
add interface=ether3-lan name=vrrp1 on-backup="/ip address set [find comment=\"IP-OPERADORA\"] disable=yes" on-master="/ip address set [find comment=\"IP-OPERADORA\"] disable=no" vrid=10

/interface list
add name=WAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface list member
add interface=ether1-oper-2 list=WAN
add interface=ether2-oper-1 list=WAN

/ip address
add address=186.151.10.2/30 comment=IP-OPERADORA interface=ether1-oper-2 network=186.151.10.0
add address=191.189.1.2/30 comment=IP-OPERADORA interface=ether2-oper-1 network=191.189.1.0
add address=192.168.100.3/24 interface=ether3-lan network=192.168.100.0
add address=192.168.100.1 interface=vrrp1 network=192.168.100.1

/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether4-ger use-peer-dns=no use-peer-ntp=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip route
add check-gateway=ping comment=ROTA-DEFAULT-OPERADORA-1 disabled=yes distance=1 gateway=191.189.1.1
add check-gateway=ping comment=ROTA-DEFAULT-OPERADORA-2 disabled=yes distance=2 gateway=186.151.10.1
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.1.1
add comment=HOST-MONITORADO-OPERADORA-2 distance=1 dst-address=208.67.220.220/32 gateway=186.151.10.1
add comment=HOST-MONITORADO-OPERADORA-1 distance=1 dst-address=208.67.222.222/32 gateway=191.189.1.1

/system identity
set name=R2-BACKUP

/tool netwatch
add down-script="/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-1\"] disable=yes" host=208.67.222.222 interval=15s up-script="/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-1\"] disable=no"
add down-script="/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-2\"] disable=yes" host=208.67.220.220 interval=15s up-script="/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-2\"] disable=no"
twitterlinkedin

Failover em Mikrotik utilizando Netwatch

Nessa dinâmica configuraremos um Mikrotik do zero ao failover entre duas operadoras.

Export do RouterOS onde configuramos o Failover utilizando o Netwatch

/interface ethernet
set [ find default-name=ether2 ] name=ether2-oper-1
set [ find default-name=ether3 ] name=ether3-oper-2
set [ find default-name=ether4 ] name=ether4-lan

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip address
add address=10.10.10.2/30 interface=ether2-oper-1 network=10.10.10.0
add address=10.10.20.2/30 interface=ether3-oper-2 network=10.10.20.0
add address=192.168.100.1/24 interface=ether4-lan network=192.168.100.0

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-oper-1
add action=masquerade chain=srcnat out-interface=ether3-oper-2

/ip route
add comment=ROTA-DEFAULT-OPERADORA-1 distance=1 gateway=10.10.10.1
add distance=2 gateway=10.10.20.1
add comment=HOST-MONITORADO-OPER-1 distance=1 dst-address=200.160.2.3/32 \
    gateway=10.10.10.1

/tool netwatch
add down-script="/ip route set [find comment=\"ROTA-DEFAULT-OPERADORA-1\"] dis\
    tance=3\r\
    \n/ip firewall connection tracking set enable=no\r\
    \n:delay 1s\r\
    \n/ip firewall connection tracking set enable=auto" host=200.160.2.3 \
    interval=10s up-script="/ip route set [find comment=\"ROTA-DEFAULT-OPERADO\
    RA-1\"] distance=1\r\
    \n/ip firewall connection tracking set enable=no\r\
    \n:delay 1s\r\
    \n/ip firewall connection tracking set enable=auto"
twitterlinkedin

Script básico de Firewall para Roteador Mikrotik

Este é um script de firewall básico que poderá ser aplicado para qualquer roteador Mikrotik 6.xx.

Segue script de configuração básica para firewall em seu roteador, descartando tráfegos desnecessários.

Por favor, preste atenção nos comentários antes de aplicar cada regra de bloqueio.

VAMOS LÁ! Primeiro precisamos criar nosso ADDRESS LIST com todos os IPs que iremos utilizar.

Abaixo você precisará alterar a rede x.x.x.x/x para o seu endereçamento de suporte. Esta rede terá acesso completo ao seu roteador..

/ip firewall address-list add address=x.x.x.x/x disabled=no list=support

Abaixo nós temos a lista bogon.

/ip firewall address-list

add address=0.0.0.0/8 comment="Identificação [RFC 3330]" disabled=no list=bogons
add address=10.0.0.0/8 comment="Privado [RFC 1918] - CLASSE A # Verifique se você precisará dessa subnet antes de ativar essa regra"\
disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=172.16.0.0/12 comment="Privado[RFC 1918] - CLASS B # Verifique se você precisará dessa subnet antes de ativar essa regra"\ 
disabled=yes list=bogons 
add address=192.168.0.0/16 comment="Privado[RFC 1918] - CLASS C # Verifique se você precisará dessa subnet antes de ativar essa regra"\ 
disabled=yes list=bogons 
add address=192.0.2.0/24 comment="Reservado - IANA - TestNet1" disabled=no list=bogons 
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons 
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons 
add address=198.51.100.0/24 comment="Reservado - IANA - TestNet2" disabled=no list=bogons 
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons 
add address=224.0.0.0/4 comment="MC, Class D, IANA # Verifique se você precisará dessa subnet antes de ativar essa regra"\ 
disabled=yes list=bogons

Agora nós temos as seguintes proteções:: SynFlood, ICMP Flood, Port Scan, Email Spam e algumas coisas a mais. Para maiores informações, leia os comentários.

/ip firewall filter

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
comment="Adiciona IP Syn Flood IP na lista" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Bloqueia da Lista de syn flood" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Detectando Port Scanner"\
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Bloqueio da lista de scan" disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment="Salta para o fluxo de entrada de icmp" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input\
comment="Bloqueia acesso total ao winbox - exceto a lista de suporte # NAO LIGUE ESSA REGRA ANTES DE ADICIONAR A SUA SUBREDE NA LISTA DE SUPORTE"\
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Saltar para o fluxo de encaminhamento de icmp" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Saltar para o bogon list" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Adicionar Spammers na lista por 3 horas"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Bloqueio da lista de spammers" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Aceita DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Aceita DNS - TCP" disabled=no port=53 protocol=tcp
add action=accept chain=input comment="Aceita conexões estabelcidas" connection-state=established\
disabled=no
add action=accept chain=input comment="Aceita conexões relacionadas" connection-state=related disabled=no
add action=accept chain=input comment="Libera acesso total a lista de SUPORTE" disabled=no src-address-list=support
add action=drop chain=input comment="Bloqueia todo o restante! # NAO ATIVE ESSA REGRA ANTES DE TER CERTEZA DAS SUAS REGRAS DE LIBERACAO"\
disabled=yes
add action=accept chain=ICMP comment="Solitição de Eco - Bloqueio de Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Resposta de Eco" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Tempo excedido" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destino inalcancavel" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Bloqueio de outros pacotes ICMPs" disabled=no protocol=icmp
add action=jump chain=output comment="Salta para o fluxo de saida de icmp" disabled=no jump-target=ICMP protocol=icmp

Eu acho que isto é o básico para proteger o seu roteador. Você pode adicionar ou remover qualquer coisa de acordo com o que você precisar. Eu espero que isso ajude!

twitterlinkedin