WiFi is a technology to turn wired internet into WiFi internet and used in every home and office. Wireless internet gives you the freedom to use the internet without sitting in a single place. It is also true that speed performance drop in Wi-fi due to weak signal or interference. Sometimes laying a physical wired connection in every room is not possible. So Wi-Fi range extender setup helps you to boost signal strength. Instead of buying a new range extender device use old wifi router as range extender mode to boost Wifi signal.
The easy method to boost Wi-fi signal coverage without using a range extender device is make wifi router as repeater mode which will extend signal. This post will help you turn old router as a range extender mode to improve wireless signals in the low signal areas.
Setup WiFi Router as Range extender Mode
To use the router as repeater mode need to access the settings page. To access the router login page use default IP Address router or Make factory reset if forget IP address.
Connect Router LAN port to Desktop or Laptop LAN port.
Use Static IP Address of the same series in LAN settings of Laptop/PC. Exp: if WiFi router login IP 192.168.1.1, use 192.168.1.10 in PC/Laptop LAN.
Open Web browser and access router IP Address.
Use default Login username password as mention in manual or Router sticker.
Change Operation Mode to Repeater Mode
Once you login to router, finds the Wireless tab.
Wireless – Wireless Repeater
Enable Repeater Mode (checkbox to enable)
Click the Site Survey button to search the Host WiFi network.
Change wifi router as range extender
Connect Range extender to Main Wi-Fi Router Wirelessly
Site survey will take 5-10 seconds to scan all wifi networks running nearby.
Select your main Wifi router from the list. Click the Next button.
wr840n repeater mode setup
Provide the Host WiFi password to allow connection from the main WiFi router.
You need to keep your main WiFi router password to allow connection from the range extender device. Always use an Alfa numeric strong combination password for main wifi network so no one can easily hack Wi-Fi.
Wireless Security Settings
Pre-Shared Key: Provide a password in this option and press the Next button.
Use router as repeater mode
Change Range Extender IP Address
The next step is to change the repeater device in the same network of main WiFi router.
IP Address: 192.168.0.10 (my main router default IP is 192.168.0.1 so I use 0.10)
Subnet Mask: 255.255.255.0
TP link range extender mode
Click the Finish button and you will get confirmation to turn router into repeater mode. Press OK button accepts and the router will reboot.
After a few seconds routers will turn into a range extender mode which will get internet from the main WiFi modem router and broadcast the same with the extended network. You can use any brand WiFi router as repeater mode using this user guide. Turning old WiFi router into range extender mode is the best and simple way to improve the low signal problem in the home. You can also use router WPS button to connect wifi without password from mobile.
Range Extender Router Placement
WiFi Range extender placement is most important to get high performances and proper signals of extending networks. There are some points to keep in mind while placing the wifi repeater device to boost the signal.
Do not put repeater router inside box or cupboard.
Keep external antenna straight in up direction so it can air signal in every direction.
Do not install the extender router under the table.
Always find a place where a range extender device can get at least a 40% signal of a main wifi router.
Place repeater device in centralize location where no obstructed between main Wi-Fi router and repeater.
Static Routing is an important topic to any network administrator who works with multiple MikroTik RouterOS and wants to establish communication among Router’s local networks. For example, say a network administrator maintains two MikroTik RouterOS connected with any communication medium and each RouterOS has its own networks and network resources such as servers, printers etc. and he wants that each network and network resources will be accessible from other networks. In this case, static routing configuration between two RouterOS will be a better solution. In this article, I will explain how to configure static routing between two MikroTik RouterOS so that each RouterOS networks will be accessible from other RouterOS networks. But before going to start our configuration, we need to be familiar with some basic routing topics which are necessary for static routing configuration.
Hops
In a Network, each layer 3 device endpoint (router) is called a HOP. In RIP and Static Routing concept, HOP is very important term to understand.
Routing
Routing is the process used to find other networks which is not directly connected in the local router. There are two types of routing.
Static Routing is a process where route is manually generated in routing table. In static routing, the network administrator must know the next hope IP address or outgoing interface in which the network router is connected. Static route format: Route add Network Subnet {next hop IP address/ outgoing interface}. Mikrotik Example: /ip route> add dst-address=Network/Subnet gateway=Next Hop IP Address
Dynamic Routing is a process of learning networks from different routers connected each other. Routers learn network by building neighbor relationship with adjacent router. Examples of dynamic routing are OSPF, EIGRP, RIP, BGP, and ISIS etc.
Static/Specific Routing Configuration
Now we will start static routing configuration in MikroTik Router. Our proposed network will be like below diagram.
MikroTik Static Routing Network Diagram
There are two office networks in this diagram and each office network has a MikroTik RouterOS (R1 & R2). R1 Router is connected to WAN1 having IP address 192.168.110.2/28 and R2 Router is connected to WAN2 having IP address 192.168.10.2/30. R1 Router has its own LAN IP block (172.22.10.0/24) and R2 also has its own LAN IP block (172.22.20.0/24). Both Routers are connected with a communication medium having IP address 10.10.10.1/30 and 10.10.10.2/30 respectively. Now we will configure static routing in both RouterOS so that each LAN IP block can be accessible from other LAN IP block.
As there are two RouterOS (R1 & R2) in this diagram, we have to configure both RouterOS and now I will show this configuration from very beginning.
R1 Router Configuration
In R1 RouterOS, we will perform basic RouterOS configuration as well as static routing configuration. The following steps will show how to do MikroTik Router basic configuration and static routing configuration in R1 RouterOS.
Login to R1 RouterOS using winbox and go to IP > Addresses. In Address List window, click on PLUS SIGN (+). In New Address window, put WAN IP address (192.168.110.2/28) in Address input field and choose WAN interface (ether1) from Interface dropdown menu and click Apply and OK button. Click on PLUS SIGN again and put LAN IP (172.22.10.1/24) in Address input field and choose LAN interface (ether2) from Interface dropdown menu and click on Apply and OK button. Again click on PLUS SIGN and put 10.10.10.1/30 (Gateway address for R2 to access LAN IP block) in Address input field and choose ether3 (RouterOS interface that is connected to R2) from Interface dropdown menu and click on Apply and OK button.
Go to IP > DNS and put DNS servers IP (8.8.8.8 or 8.8.4.4) in Servers input field and click Apply and OK button.
Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN. Under General tab, choose srcnat from Chain dropdown menu and click on Action tab and then choose masquerade from Action dropdown menu. Click on Apply and OK button.
Go to IP > Routes and click on PLUS SIGN (+). In New Route window, click on Gateway input field and put WAN Gateway address (192.168.110.1) in Gateway input field and click Apply and OK button.
Static Routing means providing the destination IP Block and the Gateway address to reach that destination IP Block. As we want to reach R2 Router’s LAN IP Block (172.22.20.0/24) and according to network diagram the Gateway IP Address to reach this destination IP Block is 10.10.10.2, we will provide this information in R1 Router’s Routing table. For this, Go to IP > Routes and click on PLUS SIGN (+). In New Route window, put destination IP Block (172.22.20.0/24) in Dst. Address input field and put the Gateway address (10.10.10.2) in Gateway input field. Click Apply and OK button. If you have more LAN IP Blocks that you need to reach, you can add those IP Blocks according to this step.
Basic configuration and static routing configuration in R1 RouterOS has been completed and R1 Router is now ready to access R2 Router’s LAN IP Block. Now we will configure our R2 Router so that it can access R1 Router’s LAN IP Block.
R2 Router Configuration
Like R1 RouterOS, we will perform basic RouterOS configuration as well as static routing configuration in our R2 RouterOS. The following steps will show how to do MikroTik Router basic configuration and static routing configuration in R2 RouterOS.
Login to R1 RouterOS using winbox and go to IP > Addresses. In Address List window, click on PLUS SIGN (+). In New Address window, put WAN IP address (192.168.10.2/30) in Address input field and choose WAN interface (ether1) from Interface dropdown menu and click Apply and OK button. Click on PLUS SIGN (+) again and put LAN IP (172.22.20.1/24) in Address input field and choose LAN interface (ether2) from Interface dropdown menu and click on Apply and OK button. Again click on PLUS SIGN (+) and put 10.10.10.2/30 (Gateway address for R1 to access LAN IP block) in Address input field and choose ether3 (RouterOS interface that is connected to R1) from Interface dropdown menu and click on Apply and OK button.
Go to IP > DNS and put DNS servers IP (8.8.8.8 or 8.8.4.4) in Servers input field and click Apply and OK button.
Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN (+). Under General tab, choose srcnat from Chain dropdown menu and click on Action tab and then choose masquerade from Action dropdown menu. Click on Apply and OK button.
Go to IP > Routes and click on PLUS SIGN (+). In New Route window, click on Gateway input field and put WAN Gateway address (192.168.10.1) in Gateway input field and click Apply and OK button.
As we want to reach R1 Router’s LAN IP Block (172.22.20.0/24) and according to network diagram the Gateway IP Address to reach this destination IP Block is 10.10.10.1, we will provide this information in R2 Router’s Routing table. For this, Go to IP > Routes and click on PLUS SIGN (+). In New Route window, put destination IP Block (172.22.10.0/24) in Dst. Address input field and put the Gateway address (10.10.10.1) in Gateway input field. Click Apply and OK button. If you have more LAN IP Blocks that you need to reach, you can add those IP Blocks according to this step.
Basic configuration and static routing configuration in R2 RouterOS has been completed and R2 Router is now ready to access R1 Router’s LAN IP Block.
Now connect IP devices in both network and ping these devices. If everything is OK, you will be able to access both network successfully.
You will be able to configure static routing in MikroTik Router if you follow the above steps properly. However, if you face any confusion to do above steps, watch my video about MikroTik static routing configuration step by step. I hope, it will reduce your any confusion.
MikroTik Router is popularly used not only in ISP network but also in enterprise office network. So, MikroTik is a popular item to network administrator. A regular task of a network administrator is to keep and store router configuration file backup.
Almost every network administrator takes configuration file backup manually. But MikroTik Router has an E-mail tool by which network administrators can automate configuration file backup regularly via email and can reduce his daily manual task easily.
E-mail tool is not configured by default in MikroTik RouterOS. So, network administrators must configure E-mail tool as well as do some scripting for getting email backup service. In this article, we are going to see how to configure MikroTik E-mail tool to get configuration file backup via email with a few steps.
We will now configure MikroTik E-mail tool so that it can send configuration file backup via email. Complete configuration for storing backup and then sending via email can be divided into 3 steps.
Email configuration
Writing script for storing backup and sending Email
Creating scheduler for executing script regularly
Step 1: MikroTik Router Email Configuration
For sending email from MikroTik RouterOS, we first need to configure sender email. MikroTik does not have a SMTP Server. For this, we have to provide SMTP server as well as email username and password so that MikroTik RouterOS can send mail through that SMTP Server.
So, to setup SMTP Server and email username and password in MikroTik RouterOS, follow the below steps carefully.
Go to Tools > Email and provide sender email information as below:
Server: SMTP Server IP address (Use your mail server IP or try using Gmail IP: 173.194.77.108)
Port: SMTP Server Port (usually 25 or if you use Gmail SMTP, use 587)
From: Put your email address which will indicate from address for the mail.
User: Put email user name (first part of @ sign) or full email address if applicable.
Password: Put the email password.
Alternatively, we can do cmd:/tool e-mail set address=173.194.77.108 set port=587 set from=systemzonedotnet@gmail.com set user= systemzonedotnet set password=*******
Where 173.194.77.108 is Gmail SMTP Server IP, systemzonedotnet@gmail.com is a test mail ID created for this article and “*******” is the password.
For checking email configuration, send a test mail from MikroTik with below cmd:/tool e-mail send to=sezan.sayeed@yahoo.com subject=”email test” body=”email test” tls=yes
If everything is OK, the test email will be sent to the receiver email address. We will now write script for storing backup file and sending via mail.
Step 2: Script for Storing Backup File and Sending via Email
After completing email configuration, we will now write a script that will store backup file and then send the backup file to the desired mail address. Follow below steps to write script in MikroTik RouterOS.
Go to System > Scripts and click on PLUS SIGN (+) to add a new script. New Script window will appear.
Type a script name (for example, Mail Backup) in Name input field and then copy and paste the below code in source box. :log info “Mikrotik Backup JOB Started . . . “ :global backupfile configbackup :log info “Deleting old Backup File If available otherwise ignore & process further . . . “ /system backup save name=$backupfile :log info “Backup process pausing for 10s so it complete creating backup file” :delay 10s :log info “Start Sending Backup File via Email using GMAIL SMTP . . .” tool e-mailsend to=sezan.sayeed@yahoo.com subject=([/system clock get date] . \ ” MikroTik Backup”) body=”MikroTik email Backup” tls=yes file=$backupfile
:delay 40s
:log info “Backup Finished”
:log info “Deleting Backup File. All Done.”
/file remove $backupfile
Now click Apply and OK button for saving this script.
You can run this script manually by clicking Run Script button or typing this cmd: > system script run 0
Script for storing configuration file backup and sending the file via email is now ready. We will now create a scheduler so that this script can be run regularly at a fixed time.
Step 3: Scheduler for Executing Script Regularly
We have created script for storing configuration file and sending via mail. But the script cannot execute itself. So, we have to create a scheduler that will execute the above script regularly at our desired time. For creating a scheduler in MikroTik RouterOS, follow below steps.
Go to System > Scheduler and click on PLUS SIGN (+) to add new scheduler.
Type scheduler name in Name input box and put script executing time in Start Time input box. For example, if you want to execute the script at 5:30 PM, put the time as 17:30:00.
Put sending time interval at Interval input field. For example, if you want to execute the script daily, put the value as 24:00:00
Now put your script name that you have provided at step 2(here, Mail Backup) in On Event box and then click Apply and OK button.
Scheduler is now ready. If everything is OK, MikroTik Router will send a mail regularly to the desired email address where configuration file should have attached.
You should follow above steps one by one otherwise your desired result may not come. If you face difficulty to do above steps properly, please watch the video tutorial carefully about MikroTik Router Auto Backup via Email. I hope, it will reduce your confusion.
Note: This configuration has been done in MikroTik Router OS version 5.20. If you face any problem in upgraded version, please let me know. I will try to solve the problem.
MikroTik Router configuration file backup via email has been discussed in this article. I hope, you will now be able to configure MikroTik Router for sending configuration file backup via email. If you face any problem, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
MikroTik RouterBoard and MikroTik Wireless Router are popularly used now a days. MikroTik RouterBoard is used in ISP Network and MikroTik Wireless Router is specially used for home users. MikroTik RouterBoard requires custom configuration because it is used for large network. On the other hand, MikroTik Wireless Router is used in home for a small network.
MikroTik Wireless Router requires quick setup because home users are so hurry and not so technical. So, MikroTik RouterOS 7 provides a quick setup option. In this article, we are going to see the quick setup option of MikroTik RouterOS 7 using Winbox 4.
MikroTik Winbox 4
MikroTik Winbox 4 is a modern, simple and fast RouterOS 7 GUI. It is now available to download from MikroTik Software Download page for any OS platform. If you are yet not familiar with Winbox 4, download and install it in your OS and follow Quick Setup guide. We are using Winbox 4 for our quick setup guide.
MikroTik RouterOS 7 Quick Configuration
Connect the ISP cable to first ether port (ether1) and then connect a RJ45 cable to your PC and any other port of your MikroTik Router. Open Winbox 4 and select Neighbors from right panel of the login window.
The MAC of connected interface will be shown in Neighbors panel. Click on it and it will be assigned in Connect To input box of login panel.
Now put admin in Login input box and keep password field blank and then hit Connect button. You will now be able to login to MikroTik RouterOS 7.
Now follow the following steps to do quick setup of MikroTik RouterOS 7.
From Winbox 4, click on Quick Set menu item from left menu bar. Quick Set window will appear.
Choose Home AP from Quick Set dropdown menu. Home AP setup window looks like the following window.
MikroTik Home AP Quick Setup
Quick Wireless Setup
Click the Wireless panel and put an SSID (such as: MikroTik AP) in Network Name input box.
Click on WiFi Password Plus Sign (+) and put network password in the appeared input box.
Quick Internet Setup
ISP connection will be configured here. An ISP can provide three type connections – Automatic (DHCP), PPPoE or Static. Automatic has no extra configuration because everything will be assigned dynamically. PPPoE requires username and password and will be provided by your uplink ISP. Static connection requires IP Address, Subnet Mask and Default Gateway.
Click on Internet panel and choose your ISP connection type from Address Acquisition radio button.
For Automatic Connection
No need to do anything. Just select Automatic radio button and it will enable a DHCP client on ether1 port and connect to ISP DHCP Server.
For PPPoE Connection
Collect PPPoE Username, Password and PPPoE Service Name provided by ISP and put them accordingly and then click Reconnect button.
For Static Connection
Collect IP Address, Netmask and Gateway from ISP and put them accordingly. Also put DNS Server IP Address if your ISP provide you or you can use Google public DNS IP: 8.8.8.8 and 8.8.4.4.
Quick Local Network Setup
Click on Local Network panel and do the following steps.
Put LAN gateway IP address (such as: 192168.100.1) in IP Address input box.
Choose netmask from Netmask dropdown menu. For example: to get available 256 IP Addresses in Local network, choose 255.255.255.0(/24) option.
Click on Bridge All LAN Ports checkbox.
Click on DHCP Server checkbox.
Put DHCP Server IP address range (192.168.100.2-192.168.100.200) in DHCP Server Range input box.
Also click on NAT checkbox.
Now click Apply and OK button.
MikroTik RouterOS 7 Quick Setup
Your MikroTik Wireless Router is now ready. You can connect any device using wire or wireless, the device will get an IP address from LAN DHCP Server and can access internet connection.
MikroTik RouterOS 7 quick configuration using Winbox 4 has been discussed here. I hope, you will now be able to configure MikroTik RouterOS 7 using Winbox 4. However, if you face any confusion, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
MikroTik Wireless Router is one of the most popular and stable WiFi Routers. WiFi Zone for an ISP or for an office or for a home can easily be configured with MikroTik WiFi Router. MikroTik has a lot of WiFi Routers that can be used as a WiFi Access Point (AP), a WiFi Station or a WiFi Repeater. MikroTik Wireless Router can also be used as both WiFi Station and WiFi AP simultaneously. The simple usage of MikroTik Wireless Router is to create a WiFi Zone with MikroTik WiFi AP. So, in this article I will discuss how to configure MikroTik WiFi AP to create a WiFi Zone in a home or in an office or even in an ISP network using MikroTik hAP lite wireless router.
MikroTik WiFi Access Point
The bridge or ap-bridge mode of a MikroTik Wireless Router is used to create a WiFi Access Point. MikroTik Wireless Router offers creating meaningful SSID with WPA and WPA2 PSK security. MAC Address filtering can also be applied in MikroTik WiFi AP with Access List and RADIUS Server. A lot of WiFi Routers are available in MikroTik for different purpose. Among these we will configure a hAP lite (RB941-2nD) wireless router (but the configuration can be same for all MikroTik Wireless Routers) to create a WiFi Zone in a home, office or ISP.
Network Diagram
The following network diagram is being followed for this article configuration.
MikroTik WiFi Router
In this network diagram a hAP lite MikroTik Wireless Router is being used as a WiFi AP and LAN gateway. This wireless router has one WLAN interface and four Ethernet interfaces. WiFi AP will be created on WLAN interface so that wireless devices can be connected. Among four Ethernet interfaces, ether1 port will be used as WAN connection with IP network 192.168.70.0/30. We will create a bridge interface and configure a DHCP Server (with IP block 10.10.70.0/24) on this bridge interface and then add WLAN interface and ether2 to ether4 interfaces to this bridge so that WiFi users and LAN users can get IP address, default gateway and other network parameters from this DHCP Server automatically.
MikroTik WiFi AP Configuration
We will now configure WiFi AP and LAN gateway in MikroTik hAP light Wireless Router. Complete Wireless AP Setup and LAN Gateway Configuration can be divided into the following five steps.
Resetting Default RouterOS Configuration
WiFi AP Setup on WLAN Interface
Creating Bridge Interface and Adding LAN and WLAN Ports
Basic RouterOS Configuration
DHCP Configuration on Bridge Interface
Step 1: Resetting RouterOS Default Configuration
MikroTik Wireless RouterOS usually comes with default configuration. But default configuration sometimes makes you confused. So, I always suggest to reset and remove default configuration. The following steps will show how to reset and remove RouterOS default configuration.
Login to RouterOS using Winbox with admin user or any full permission user.
Click on System menu item and then click Reset Configuration option. Reset Configuration window will appear.
Click the No Default Configuration checkbox.
Click on Reset Configuration button. It will ask to confirm resetting configuration. Click Yes to confirm.
Now default configuration will be reset and Routerboard will be rebooted. After successful reboot, you will get a fresh and zero configuration RouterOS.
Resetting RouterOS Default Configuration
Step 2: WiFi AP Setup on WLAN Interface
MikroTik hAP lite wireless router has a WLAN interface where WiFi AP has to be setup. To setup WiFi Access Point in MikroTik Wireless Router we have to first create Security Profile and then create SSID to connect wireless devices.
Creating Security Profiles
To connect a wireless device with MikroTik WiFi AP, wireless devices must provide security key (password). MikroTik wireless supports both WPA PSK and WPA2 PSK authentication type. The following steps will show how to create passkey for MikroTik WiFi AP with Security Profile.
From Winbox, click on Wireless menu item. Wireless Tables window will appear.
Click on Security Profiles tab and then click on PLUS SIGN (+). New Security Profile window will appear.
Put a meaningful profile name (WiFi Profile) in Name input field.
Choose dynamic keys from Mode drop down menu.
Check WPA PSK and WPA2 PSK checkbox from Authentication Types panel.
Now provide strong password in WPA Pre-Shared Key and WPA2 Pre-Shared Key password box.
Click Apply and OK button.
MiKroTik Wireless AP Security Profile
Creating SSID for MikroTik WiFi AP
After creating Security Profile we will now set Wireless Mode and create SSID (Service Set Identifier) so that wireless devices can find our MikroTik Access Point with created SSID. The following steps will show how to create SSID and set wireless mode in hAP lite MikroTik Wireless Router.
Click on WiFi Interfaces tab and you will find WLAN interface (by default: wlan1) here. It may be disabled at first time. So, if you find disabled, click mouse right button on it and then click on Enable option to enable WiFi interface.
Double click on available and enabled WiFi Interface. Interface window will appear.
From General tab you can set WiFi interface name from Name input box or you can keep it default.
Click on Wireless tab and choose ap bridge from Mode dropdown menu.
Put SSID name (MikroTik AP) in SSID input box.
Now click on Advanced Mode button and choose your created security profile from Security Profile drop down menu.
Make sure Default Authenticate and Default Forward checkbox is checked. Otherwise devices will not be connected until MAC authentication.
Click Apply and OK button.
MikroTik WiFi AP Setup
Now created SSID will be found in wireless devices and wireless device can be connected providing password. You will find connected devices in Registration tab. But connection is not enough to get internet. IP address, default gateway and other network parameters have to provide to get internet to the connected devices. So, we will now do MikroTik Router basic configuration with creating bridge interface. We will also configure DHCP Server to assign IP address, default gateway and other network parameters automatically.
Step 3: Creating Bridge Interface and Adding LAN and WLAN Ports
We will now create a bridge interface and add ether2 to ether3 interfaces including WLAN interface to this bridge because we want to provide same block IP address to LAN and WiFi users. The following steps will show how to create bridge interface and add physical interfaces to it.
Click on Bridge menu item. Bridge interface will appear.
Click on Bridge tab and then click on PLUS SIGN (+). New Interface window will appear.
Put bridge interface name in (LAN_Bridge) Name input field.
Click Apply and OK button.
Now click on Ports tab and click on PLUS SIGN (+). New Bridge Port window will appear.
Choose ether2 interface from Interface dropdown menu.
Choose created bridge interface (LAN_Bridge) from Bridge dropdown menu.
Click Apply and OK button.
Similarly add ether3, ether4 and wlan1 interfaces to this bridge.
Adding Interface to Bridge
Step 4: Basic RouterOS Configuration
We will now do RouterOS basic configuration where we will assign WAN IP, LAN Gateway, DNS IP, and Default Gateway IP and configure NATing. The following steps will show how to do basic configuration in MikroTik Wireless Router.
Go to IP > Address menu item. Address List window will appear.
Click on PLUS SIGN (+). New Address window will appear. Put ISP provided IP address (192.168.70.2/30) in Address input box. Now choose ether1 from Interface dropdown menu. Click Apply and OK button.
Similarly, click on PLUS SIGN (+) again and put LAN Gateway IP (10.10.70.1/24) in Address input field and choose bridge interface (LAN_Bridge) from Interface dropdown menu and click Apply and OK button.
Now go to IP > DNS menu item. DNS Settings window will appear. Put your ISP provided DNS IP or Google Public DNS IP 8.8.8.8 in Servers input field.
Go to IP > Routes menu item. Route List window will appear. Click on Gateway input field and put ISP provided gateway IP (192.168.70.1) in this field. Click Apply and OK button.
Go to IP > Firewall menu item. Firewall window will appear. Click on NAT tab and then click on PLUS SIGN (+). New NAT Rule window will appear. From General tab choose srcnat from Chain drop down menu and put LAN Block (10.10.70.0/24) in Src. Address input field. Click on Action tab and choose masquerade from Action drop down menu and then click Apply and OK button.
Now click New Terminal menu item and ping google.com. If everything is OK, you will get response that means MikroTik Router is now ready to communicate to internet.
MikroTik Winbox Terminal
Step 5: DHCP Server Configuration on Bridge Interface
We will now setup DHCP Server on bridge interface so that WiFi users and LAN users can get IP address, default gateway and other network parameters automatically. The following steps will show how to setup DHCP Server on bridge interface in MikroTik RouterOS.
Go to IP > DHCP Server menu item. DHCP Server window will appear.
Click on DHCP Setup button. DHCP Setup window will appear.
Choose bridge interface (LAN_Bridge) from DHCP Server Interface drop down menu and then click Next button.
LAN Block (10.10.70.0/24) will be automatically assigned in DHCP Address Space input field. So, nothing to do. Just click Next button.
LAN Gateway (10.10.70.1) will automatically be assigned in Gateway for DHCP Network input field. So, just click Next button.
IP Pool from where IP address will be assigned to Wireless devices and LAN devices will be automatically assigned from LAN Block (10.10.70.2-10.10.70.254) in Addresses to Give Out input field. So, just click Next button.
Your assigned DNS Server IP will automatically be assigned in DNS Server input filed. So click Next button.
Default DHCP lease time is 10 minute. So, 10 minute will keep assigned in Lease Time input filed. If you want, you can increase lease time as much you want. Click Next button.
Now you will find DHCP Setup successful message window. Just click OK button.
MikroTik DHCP Server Setup
MikroTik WiFi AP with DHCP Server is now ready. Now connect any wireless device or connect any LAN device. The device will get IP address, default gateway and other network parameters automatically and be able to get internet access.
With this MikroTik WiFi AP configuration any wireless user who knows WiFi password can connect with SSID and any LAN user who will be connected with LAN cable can able to get access to DHCP Server and DHCP Server will be happy to provide him/her IP address, default gateway and other network parameters because there is no filter rule to block unauthorized access.
MikroTik Wireless or WiFi AP is smart enough granting access based on MAC address. But MAC address filtering can only save WiFi access. LAN users should also filter based on MAC Address. For this, it is always better to use Static DHCP Server Configuration which will filter access based on MAC Address.
How to Configure MikroTik WiFi AP with DHCP Server in hAP lite Wireless Router has been discussed in this article. I hope you will now be able to configure MikroTik Wireless Router following the above steps properly. However, if you face any confusion to follow the above steps properly, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.
Mikrotik devices are wonderful networking tools. They offer flexibility and cost empowerment to solve networking problems. But, the way we deploy Mikrotiks in the industry is creating multiple security risks. People are not spending the time to secure Mikrotik devices.
Organizations deploying Mikrotik devices are creating security risks inside their organization.
ISPs who are not tracking the Mikrotik deployments on their customers are creating a risk for their business, network, and other customers.
The Industry who are not pushing for better “out of the box” Mikrotic security is accepting massive DDoS attack, gateways for ransomware crews, and a range of other abuse.
It cannot be ignored that Mikrotik devices are 2022’s most dangerous malware platform. We hope this work will help engineers, administrators, and organizations seek out, secure, and clean up the Mikrotik devices in their network.
Step-by-Step Guide for Securing your Mikrotik Device
First, with any network device, there are core principles that lead to security and resiliency. These are general principles that we will point out in this guide. They are applied to any network vendor.
Second, we will present several deployment scenarios. In this scenario, we are working to secure a basic Mikrotik router connected to the Internet (see the figure).
Lastly, if you go through these steps and find problems, ASSUME YOUR ROUTER IS COMPROMISED! At the end of this process, you will need to do a NETINSTALL, rebuild the Mikrotik device, and start from scratch.
WHY?
The modern compromises to Mikrotik devices can get into the underlying Linux operating system. These RouterOS remediation steps cannot fix problems inserted into the device’s Linux. It must be rebuilt.
Step 0 – Assume your Mikrotik is infected, owned, and controlled by a Miscreant.
The number of exposed, vulnerable, and known Mikrotik devices is in the millions. Given this, it is best to assume that your device is controlled by a miscreant using your device for criminal activities. Criminal activities that put your network at risk.
Through this guide, we will continuously assume the Mikrotik device is compromised. Each step allows us to build confidence in the configuration and the deployment.
Assume miscreants already control your Mikrotik Devices.
Step 1 – Backup Your Device
Yes! The first step is to back up your Mikrotik device and copy the backup to a safe location. This action is common sense before making any changes to a device or the network.
Mikrotik’s new BACKUP documentation provides details. (https://help.mikrotik.com/docs/display/ROS/Backup)
Don’t depend on the Mikrotik Cloud Backup!
Since RouterOS v6.44 it is possible to securely store your device’s backup file on MikroTik’s Cloud servers; read more about this feature on the Mikrotik IP/Cloud page. But what happens if you cannot get to the cloud backup? It is common sense to have a local backup location along with the convenience of a cloud backup. Do both.
Step 2 – Upgrade Mikrotik’s Winbox
Ease of use is one of the core reasons why there are so many Mikrotiks deployed. People do not need to be network experts to get value. Mikrotik’s Winbox application is one of the key reasons. Winbox is a small utility that allows the administration of MikroTik RouterOS using a fast and simple GUI. It is a native Win32 binary but can be run on Linux and macOS (OSX) using Wine. All Winbox interface functions are as close as possible, mirroring the console functions, which is why there are no Winbox sections in the manual.
You now have confidence that you have the latest version of Winbox deployed on your network.
Step 3 – Upgrade RouterOS
Moving to an updated version of the RouterOS software is the first step. It is not a “security fix” but a critical security step.
Mikrotik’s Upgrading and Installation documentation provides details on how to upgrade. Upgrading to the latest stable version of Router OS software is recommended.
Step 4 – Username and Passwords
Mikrotik out-of-the-box has a default username of “admin” and NO PASSWORD! Yes, this contradicts the industry’s best common practices (BCPs). It exposes your brand new Mikrotik device to miscreants constantly scanning the Internet looking for new devices that have yet to change the default username and add a password. Mikrotik’s documentation has you connecting the device to the network with no security, then says ….
“Now anyone worldwide can access our router,so it is the best time to protect it from intruders and basic attacks.”
Just assume the miscreants have your Mikrotik username and password. Change your username and password!
Mikrotik’s Protecting the Router documentation has details to change the password. Here is a practical workflow:
Change the Password of the user “admin” on the device. Remember the new password.
Add new users to maintain the router. These new users would replace the “admin” user.
Test the new username and passwords to ensure you have access. Have a separate username/password for your Winbox access.
Test the Winbox configuration to ensure it works with the new usernames/passwords.
Delete the user “admin.”
Change the username and password to
Test your Passwords to see if compromised
The Have I been PWND site is a public service that allows people to check their usernames, emails, and passwords. Testing any new password on Have I been PWND is prudent, validating the exposure.
https://haveibeenpwned.com/
Use Have I Been PWNED as a tool to test your usernames and passwords!
Step 5 – Limit the Source IP Blocks to Connect to the Router
The world does not need to connect to your router. The world should not be telneting or trying to use Winbox from all over the world. Limit the IP Source address used for the username and the most critical services.
Restrict username access for the specific IP address. In this example, we’re using the network from the illustration 192.168.2.0/24
/user set 0 allowed-address=192.168.2.0/24
Restrict Winbox service access to be only from a specific subnet:
/ip service set winbox address=192.168.2.0/24
Step 6 – Change the port # for SSH
Changing the SSH port number is a trick to minimize brute-force password hacking on your router. Change and test the port before turning off the telnet service on the router!
The port number for SSH is 22 by default. Here, we change the default SSH port number from 22 to 2200. This will make it harder for miscreants’ “scanning tools” to find your SSH port and “brute force” password guessing.
/ip service set ssh port=2200
Test the SSH connection! Ensure you can SSH to the new port (2200 in this example).
Step 7 – Limit the Services Opened on the Router
Once you know SSH works on the new port, you can turn off the Telnet Service:
/ip service print
/ip service disable telnet
/ip service print
Don’t stop by turning off telnet. There is a range of services that Mikrotik turns on that are not needed.
The Best Common Practice (BCP) for security on network devices is to turn off everything! Then turn on specific functions/services as part of your network design. Minimize RISK by minimizing what is running in the background on your network device.
Start with disabling these services:
/ip service print
/ip service disable telnet,ftp,www,api,api-ssl
/ip service print
A bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment. This can be used as a DDoS tool.
/tool bandwidth-server set enabled=no
Don’t let the router be a DNS DDoS Reflector. DNS cache might be configured on the router, which turns it into a DDoS Reflector. Make sure it it turned off.
/ip dns set allow-remote-requests=no
If you need the DNS Cache to have the router, explicitly set up the DNS function to restrict who can use the Mikrotik router for DNS traffic (i.e. only inside your network).
Step 8 – Turn off Direct Access via the MAC Address
By default, the mac server runs on all interfaces. That means anyone directly connected to the Mikrotik device can connect or telnet to the device. This allows miscreants inside the network to connect back to the device.
Mikrotik provides an up-to-date neighbor discovery service that includes the MNDP (MikroTik Neighbor Discovery Protocol), CDP (Cisco Discovery Protocol), and LLDP (Link Layer Discovery Protocol) in the Layer2 broadcast domain. It can be used to map out your network.
Miscreants, malware, and APT (advanced persistent threat actors) already inside your network can use Network Discover Protocol to map out your network.
The Best Common Practice (BCP) is to turn off Network Discovery by default.Mikrotik turns network discover ON by default. So it needs to be manually turned off:
To disable neighbor discovery on all interfaces:
/ip neighbor discovery-settings set discover-interface-list=none
Step 10 – Limit WHO on the Internet Can Access Your Mikrotik!
Limit which services can access the router on the Internet-facing “public interfaces” (see illustration). This is done with Mikrotik’s Firewall Service.
There are core access list/firewall filter principles for how you protect your router, network, services, and your organization. Protecting Routers, Switches, and Network Devices is a good video tutorial on YouTube that walks through these principles. In this example, IP connectivity on the public interface must be limited by the Mikrotik firewall feature. In this example, we will accept only ICMP(ping/traceroute), IP Winbox, and ssh access.
The is a mix of guidelines and references. Here are some to explore when building your firewall access rules to protect your router, network, and organization.
Step 11 – Don’t let your Mikrotik be used as a “DDoS Proxy!”
Mikrotik’s proxy, socks, UPnP, and other services are getting turned ON “accidentally,” turning the Mikrotik into a powerful DDoS Weapon. These features, combined with other Mikrotik capabilities, turn the device into a “bot” that becomes a member of the threat actor’s BOTNET.
DO NOT LET MISCREANTS USE YOUR MIKROTIK DEVICE FOR CRIMINAL ACTIVITY!
Mikrotik disables these by default. Check if they are turned on and manually turn them off – to be sure:
MikroTik caching proxy
/ip proxy set enabled=no
MikroTik socks proxy
/ip socks set enabled=no
MikroTik UPNP service
ip upnp set enabled=no
MikroTik dynamic name service or IP cloud
/ip cloud set ddns-enabled=no update-time=no
Step 12 – Start Cleaning Up Your “Compromised” Router
At this point, it is time to see if your Mikrotik device has been compromised. As you can see in this Mikrotik blog post – MĒRIS BOTNET – Mikrotik devices are sought after by threat actors and miscreants. As mentioned in the beginning, we are making the assumption your device has been compromised.
Check the Mikrotik Scheduler. The threat actor will install a rule that executes the script. Those scripts are evolving and creative. Check every scheduled script (under System → Scheduler). If you don’t know the script, download a copy, then delete it. Look for scripts with the fetch () method.
Check Files on the Mikrotik Router – Delete Unknown Files. Check the files on your Mikrotik. If you do not recognize it, download a copy, then delete the file.
Check the SOCKS Proxy. We covered this earlier, but it is worth checking again. An unknown SOCKS proxy server enabled on your router indicates that the router has been compromised.. You’ll find the setting under IP → SOCKS; if you do not use it, disable it;
Check for L2TP Clients. Threat Actors will use L2TP to control the router as part of a BOTNET. Look for any L2TP clients called lvpn, (or any other L2TP client unfamiliar to you). Delete these clients.
Check all the Firewall Rules! A threat actor will “open a hole” in the firewall to allow them to get remote access. For example, a firewall rule that allows remote access through port 5678 was used as part of the early versions of the MĒRIS botnet. Remove this rule, then check each firewall rule.
Trickbot is a modular trojan that’s been around since 2016 and is often used by cybercriminals to deliver ransomware or other malware. The miscreants using Trickbot have found they can use Mikrotik Routers as “proxies” to hide their Trickbot Command and Control.
The Trickbot “miscreant threat actors” are using the same approach we are working to prevent in the previous defensive steps:
Trickbot crews are using default MikroTik passwords where the device has been plugged in before being securely configured.
Trickbot crews scan for Mikrotik devices, then launch brute force “password guessing” attacks. Microsoft has seen attackers use some unique passwords that probably were harvested from other MikroTik devices.
Trickbot crews are exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. This vulnerability gives the attacker the ability to read arbitrary files like user.dat, which contain passwords.
Microsoft’s Section 52 Team we able to explore Mikrotik confirmation commands to unravel the Trickbot crew’s source and intent. For example, we observed attackers issuing the following commands:
From the command, we can understand the following:
A new rule, similar to iptables, is created.
The rule redirects traffic from the device to a server
The redirected traffic is received from port 449 and redirected to port 80
The command looks like a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting. Here the Trickbot miscreants have compromised the Mikrotik router and configured the NAT for malicious activity. Trickbot’s Command and Control (C2C) is known for using ports 443 and 449.
How can you check if TrickBot’s Firewall Rule is installed?
Run the following command to detect if the NAT rule was applied to the device (completed by the tool as well):
/ip firewall nat print
If the following data exists; it might indicate a Trickbot infection:
Run the following command to remove the potentially malicious NAT rule:
/ip firewall nat remove numbers=
Step FINAL – NETINSTALL and Start from Scratch
The final step is the reality check. There is no way to RouterOS commands can fix malware inserted into the device’s Linux operating system. This process helps to shape your troubleshooting, confirm if there is a compromise, and the process to configure Mikrotik to be secure.
Netinstall is a tool for installing and reinstalling MikroTik devices running RouterOS. Always try using Netinstall if you suspect your device is not working properly.
Tools to Check your Mikrotik Device
Severial companies have tool to help you track, check, and secure your Mikrotik devices.
Shadowserver’s Daily Network Report
Shadowserver provides any organization with IP addresses, Autonomous System Numbers (ASNs), or Domain Names with daily report based on their vast array of security telemetry. The Daily Network Reports are FREE and a Public Service to protect the Internet. Mikrotik devices that are exposed, vulnerable, or compromised are listed in the reports. Find out more about the Network Reports and How to Subscribe to the reports on wwww.shadowserver.org.
Meris RouterOS Checker
The Meris RouterOS Checker is a open source tool crafted by Eclypsium to help network admins check their Mikrotik devices.
There is a Youtube Playlist for a “how to secure your Mikrotik” device here: Mikrotik Router Security – How to keep control over your Mikrotik devices. It is good to watch and listen to many of your peers working to secure their devices. Taking action to protect your network is the most critical element!
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.
MikroTik RouterOS is the stand-alone Linux operating system that is used with MikroTik’s networking equipment. However, that is not the only function it can perform. It is more than just an OS for routers. In fact, this software can even be installed on regular PCs to turn them into dedicated routers.
Nevertheless, the blog is a step-by-step tutorial on how to configure port forwarding in MikroTik. Before we get into it, however, we will first discuss a little more about the OS itself and give you a general idea of what port forwarding id&Mikrotik port Forwarding, and RouterOS Port Forwarding actually is.
What is Mikrotik?
MikroTik itself is a Latvian network equipment manufacturing company. They develop and sell wired and wireless network routers, network switches, access points, operating systems, and auxiliary software for their products.
MikroTik’s RouterOS is the operating system that powers its devices and has a very high level of flexibility when it comes to network management. RouterOS can also be installed on a PC turning it into a router with all the necessary features – routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server, and more.
The feature that we will delve into today is RouterOS port forwarding. Unlike with other operating systems, the way to set it up might not be very intuitive, but not difficult at its core. Before setting up the configuration, let us first explain what port forwarding is.
What is Port forwarding?
Port forwarding is the process of intercepting data traffic headed for a computer’s IP/port combination and redirecting it to a different IP and/or port. This process can be easily done using a MikroTik router or any system running RouterOS.
Before we get to that, try to imagine the following situation:
You are an IT administrator. You created a large network, and someone wants to connect remotely to your VPS server or dedicated server to work remotely. You can’t share the server IP with that person for security reasons. What should you do? In this situation, you should use port forwarding on the MikroTik router to handle all the requests. Also, You can check out our Mikrotik VPS Server.
How to Configure Mikrotik Port Forwarding?
In this section, we’ll provide detailed step-by-step instructions for configuring MikroTik port forwarding for various purposes. We’ll cover three common scenarios: forwarding to an internal web server, FTP server, and SSH server. Each set of instructions will be presented clearly and concisely, catering to readers with varying levels of technical expertise.
Step 1: Log in to your own MikroTik server with admin privileges.
Step 2: Click on IP from the left side panel.
Step 3: In the newly opened submenu, click on Firewall.
Step 4: Head over to the NAT tab in the Firewall window.
Step 5: Click on the + button to create a new rule.
Note: In this scenario, assume the router connects to IP (10.10.10.10), and we want to forward all requests from (10.10.10.10:5847) to the (20.20.20.20:4324).
Step 6: Click on the General tab and select dstnat from the chain drop-down list.
Step 7: In the Dst. Address field, type the IP you wish to forward all requests from (i.e., 10.10.10.10 in our case).
Step 8: From the Protocol list, select the connection protocol, such as TCP.
Step 9: In the Dst. Port field, type the port you wish to forward requests from (i.e., 5847 in this example). Step 10: Now, navigate to the Action tab.
Step 11: From the Action drop-down list, select dst-nat.
Step 12: In the To Addresses field, type the IP to which you wish to forward all requests (i.e., 20.20.20.20 in our case).
Step 13: In the To Ports field, type the port you want to forward requests to (i.e., 4324 in this example).
Step 14: Click on Apply and then on OK to save and add the new rule.
And that’s it. You have successfully configured your first port forwarding rule on MikroTik. To add new port forwarding rules, simply follow the steps with new ports or IPs.
Troubleshooting Tips
While configuring port forwarding is a valuable skill, issues may arise during the setup process. Here are some common problems users may encounter and tips on how to troubleshoot them:
Port Conflicts
Problem: Another device or application is already using the port you intend to forward.
Solution: Check for port conflicts by verifying that the chosen port is not in use elsewhere on your network. Consider changing the forwarded port if necessary.
Incorrect IP Address
Problem: Forwarding to the wrong internal IP address can lead to connection failures.
Solution: Double-check and ensure that you’ve entered the correct internal IP address of the target device or server in your port forwarding rule.
Firewall Blocking
Problem: The target server’s firewall may be blocking incoming traffic on the forwarded port.
Solution: Adjust the firewall settings on the target server to allow incoming connections on the forwarded port. Ensure both your router’s and server’s firewalls are correctly configured.
Dynamic IP Address
Problem: If your internal device has a dynamic IP address that changes, the port forwarding rule may become invalid.
Solution: Configure your router to assign a static or reserved IP address to the internal device. This ensures that the port forwarding rule remains effective even if the IP address changes.
ISP Restrictions
Problem: Some Internet Service Providers (ISPs) may impose restrictions on certain ports.
Solution: Contact your ISP to inquire about any port restrictions. Consider using alternative ports for forwarding if necessary.
Common Use Cases of Port Forwarding
Port forwarding is a versatile networking technique with a wide range of applications. Here, we’ll explore some common scenarios where port forwarding becomes a crucial tool:
Remote Desktop Access
In today’s interconnected world, the need for remote access to computers is paramount. Whether you’re an IT administrator managing servers or a remote worker accessing your office desktop, port forwarding enables secure access to remote desktops. By forwarding the appropriate port (e.g., TCP port 3389 for RDP) on your MikroTik router to the target computer’s IP, you can access it from anywhere, enhancing productivity and flexibility.
Online Gaming
Online gaming enthusiasts often rely on port forwarding to achieve optimal gaming experiences. Popular multiplayer games, like those on gaming consoles or PC platforms, require specific ports to be open for seamless connectivity. Port forwarding ensures that game traffic flows smoothly between players, reducing lag and enhancing the gaming experience.
Optimize your gameplay with a Gaming VPS Server! Deploy yours now and elevate your gaming experience with powerful resources. Explore the potential of Linux commands for ultimate customization and control.
Web Server Hosting
For businesses and individuals hosting websites or web applications, port forwarding is indispensable. By forwarding HTTP (port 80) or HTTPS (port 443) requests to a web server’s internal IP, you can make your website accessible to users on the internet. This is essential for businesses looking to establish an online presence and for developers testing their web applications.
File Sharing and FTP Servers
Sharing files across the internet or running an FTP server for file transfers often requires port forwarding. Whether you’re sharing files with colleagues, clients, or friends, port forwarding allows external users to connect to your FTP server securely. FTP typically uses port 21 for control connections and a range of ports for data transfers, making precise port forwarding crucial.
Surveillance Systems (NVR/DVR)
Security is a top concern for many homeowners and businesses. Network Video Recorders (NVRs) and Digital Video Recorders (DVRs) used for video surveillance can benefit from port forwarding. By forwarding specific ports, you can remotely access your surveillance system, view live camera feeds, and review recorded footage from anywhere with an internet connection.
Network Diagram
In this section, we’ll provide a visual representation of the network setup, which is essential for you to understand the context of the port forwarding configuration. This diagram illustrates how the MikroTik router is connected to both the WAN and LAN and how port forwarding plays a vital role in the overall network architecture.
The network setup consists of the MikroTik router with its ether1 interface connected to the WAN, having an IP address of 120.50.–.198. Meanwhile, the ether2 interface is connected to a LAN switch with an IP address of 193.168.20. Within the LAN, there are three servers: a web server, an FTP server, and an SSH server. These servers are only accessible to users within the local network. Port forwarding will enable users outside the local network to access these servers via the Internet.
Alternative Methods for Mikrotik Port Forwarding
While port forwarding is a widely used method for network configuration, there are alternative approaches and tools that can achieve similar results:
Virtual Private Networks (VPNs)
VPNs provide a secure and versatile way to access resources on your network remotely. By setting up a VPN server on your MikroTik router, you can create a secure tunnel for remote access to your local network, bypassing the need for port forwarding. VPNs are particularly useful for remote desktop access and ensuring data encryption.
Reverse Proxies
For web hosting purposes, reverse proxies can be an alternative to port forwarding. A reverse proxy server can receive incoming web requests and route them to the appropriate backend server, effectively hiding the internal server’s IP address. This method can enhance security and load balancing for web applications.
Cloud Services
Consider leveraging cloud-based solutions for certain applications. Cloud-hosted services, such as cloud-based surveillance systems or cloud-based web hosting platforms, eliminate the need for port forwarding by providing remote access through dedicated cloud infrastructure.
Notes and Recommendations
In this section, we present important considerations and recommendations to optimize your MikroTik port forwarding setup and safeguard against common pitfalls. By adhering to these guidelines, you can ensure a seamless and secure port forwarding configuration:
Keep RouterOS Updated
Before embarking on your port forwarding journey, it is imperative to verify that your MikroTik router is running the latest version of RouterOS. Regularly updating your router’s operating system ensures that you benefit from the latest features, bug fixes, and security enhancements. Visit the MikroTik website to download and install the most recent RouterOS release.
Firewall Configuration
To enable successful port forwarding, pay close attention to your server’s firewall settings. In addition to configuring port forwarding rules on your MikroTik router, you must permit incoming connections to the designated ports on the target server. Failing to adjust the server’s firewall may result in inaccessible services. Ensure that any firewall software or hardware on the server is properly configured to allow traffic on the forwarded ports.
Protocol and Port Accuracy
Precision is key when specifying the protocol and port numbers for your port forwarding rules. Be certain that you accurately identify the protocol type (e.g., TCP, UDP) and the port number associated with the service you intend to forward. Incorrect settings can lead to connectivity issues or security vulnerabilities. Consult the documentation of the service or application you are forwarding to verify the correct protocol and port details.
Logging and Monitoring
Implement logging and monitoring practices to keep track of port forwarding activities. MikroTik routers offer comprehensive logging capabilities that can assist in troubleshooting and security monitoring. Regularly review logs to detect any unusual or unauthorized access attempts. Consider setting up alerts or notifications for specific events, ensuring timely response to potential threats.
Security Best Practices
While port forwarding is a powerful tool for remote access, it should be approached with security in mind. Implement strong authentication mechanisms for services exposed through port forwarding. Utilize secure, complex passwords and, where applicable, consider implementing additional security layers such as VPNs or two-factor authentication (2FA). Regularly audit and update access credentials to maintain a high level of security.
Regular Testing
Periodically test the functionality of your port forwarding rules to verify that they are working as intended. Attempt remote access from outside your local network to confirm that the forwarded services are accessible. Regular testing helps identify and address any configuration issues or changes in network conditions.
Conclusion
We hope that with the help of this article, you now have a better understanding of Mikrotik port forwarding and can set up the port forwarding configuration on MikroTik without any issues. If you run into an issue or have any questions, you can post them in the comment section below or contact us via live chat or e-mail.
In modern cybersecurity, centralized log management is crucial for monitoring network activities and detecting potential threats. Wazuh, an open-source security platform, provides powerful log analysis and threat detection capabilities. By integrating pfSense, a widely used open-source firewall, with Wazuh via Syslog, administrators can enhance network visibility and security monitoring.
This guide will walk you through the process of configuring pfSense to send logs to Wazuh.
Configuring pfSense to Send Logs to Wazuh via Syslog
To enable remote logging in pfSense, navigate to Status → System Logs → Settings and scroll down to the Remote Logging Options section. Check Enable Remote Logging, then enter the IP address of your Wazuh server (e.g., 10.1.200.50) in the Remote Syslog Servers field. Set the Remote Syslog Port to 514, which is the default for Syslog. Next, select the log facilities you want to send, such as Firewall, System, and DHCP. For better compatibility with Wazuh,Don’t forget tp choose the RFC 5424 format. Finally, save the settings to apply the configuration.
Configuring Wazuh Server to Receive pfSense Logs
To configure Wazuh to receive logs from pfSense, edit the ossec.conf file on the Wazuh server. In the <remote> section, add the Syslog connection with port 514, using the UDP protocol, and set the allowed IP to the pfSense interface IP (e.g., 10.1.200.254). The local IP address of the Wazuh server should match the one set in the pfSense remote logging settings. After saving the changes, restart the Wazuh Manager and check the logs to confirm that pfSense logs are being received. If you see the logs, the setup is successful.
Testing Log Reception on Wazuh Manager with tcpdump
To verify that pfSense logs are reaching the Wazuh server, use tcpdump to capture Syslog traffic. Run tcpdump on the Wazuh server to listen for UDP packets on port 514, ensuring logs are being transmitted. If packets from the pfSense IP appear in the output, the connection is successful. Otherwise, check pfSense’s remote logging settings and firewall rules.
Example of a pfSense Log Received by Wazuh
Creating a Decoder and Rules for Matching pfSense Logs in Wazuh
We created a decoder and rules in Wazuh to properly analyze and categorize pfSense logs. By default, Wazuh may not recognize pfSense logs correctly, as they have a specific format. The decoder helps extract important details like source IP, destination IP, and protocol from the raw logs. The rule then matches specific events, such as blocked traffic, and assigns them a severity level. This allows Wazuh to generate alerts for security-relevant events, making it easier to monitor and respond to potential threats in the network.
Testing a pfSense Log with a Custom Decoder in WazuhTesting a pfSense Log with a Custom Rule in Wazuh
pfSense Logs Successfully Integrated with Wazuh
Note: While it is possible to install the Wazuh agent directly on pfSense, it is not recommended due to compatibility and performance concerns. pfSense is a firewall appliance, and adding extra software like the Wazuh agent may affect its stability and security. Instead, using remote Syslog logging to send logs to a dedicated Wazuh server is the best practice for efficient monitoring without impacting pfSense’s performance.
VLAN (𝑉𝑖𝑟𝑡𝑢𝑎𝑙 𝐿𝑜𝑐𝑎𝑙 𝐴𝑟𝑒𝑎 𝑁𝑒𝑡𝑤𝑜𝑟𝑘) is a basic networking technology that allows us to logically separate devices within a single physical network. Think of it as creating multiple virtual networks on one switch, giving you control over performance, security, and network management—all without the need for additional hardware.
𝐖𝐡𝐲 𝐬𝐡𝐨𝐮𝐥𝐝 𝐲𝐨𝐮 𝐜𝐚𝐫𝐞 𝐚𝐛𝐨𝐮𝐭 𝐕𝐋𝐀𝐍? In today’s fast-paced tech landscape, VLANs are essential for optimizing network performance and flexibility. Whether you’re in a business, educational institution, or a data center, VLANs provide benefits that can transform your network.
𝐇𝐞𝐫𝐞 𝐚𝐫𝐞 𝐭𝐡𝐞 𝐛𝐞𝐧𝐞𝐟𝐢𝐭𝐬 𝐨𝐟 𝐕𝐋𝐀𝐍: 1) Network Segmentation VLANs enable logical separation of devices based on functions, departments, or needs. For example, you can set up VLANs for Staff, IT department, and guests to ensure separation and better control.
ARP maps a Layer 3 IP address to an Unknown Layer 2 MAC address, which is key for Nic-to-Nic communication at the data link layer.
Here’s a quick overview:
1. PC1 needs PC3’s MAC and IP address to communicate. 2. The IP can be static or assigned dynamically via DHCP. 3. To test connectivity, John use PC1 to ping PC3 in the same LAN.
How it works: – PC1 sends an ARP request to resolve PC3’s MAC address. – The ARP request is broadcast, with unknown destination MAC set to all F’s. – PC3 replies with its MAC address with an ARP reply, allowing PC1 to send the ICMP request to eventually get an ICMP reply from PC3.
Understanding ARP is key to knowing how data moves through a network for effective communication and to troubleshoot various issues.
