For those who have not seen the new options in the Mikrotik Speedtest tool, here you go. These options are available via command line only so far and first appeared in the 6.44Beta. Details have been wiped to protect the innocent. This was a little mAP behidn a few layers of nat on a cable modem.
Below is a basic IPV6 firewall fillter for your Mikrotik CPE devices. This is a good start for customer-facing CPE.
/ipv6 firewall filter add chain=forward comment="allow forwarding established, related" connection state=established,related add chain=forward comment="allow forward lan->wan" in-interface=lan out-interface=wan add chain=forward comment="allow ICMPv6 forwarding" in-interface=wan protocol=icmpv6 add action=reject chain=forward comment="reject every other forwarding request" reject-with=icmp-port-unreachable add chain=input comment="accept established, related" connection-state=established,related add chain=input comment="allow ICMPv6" in-interface=wan protocol=icmpv6 add chain=input comment="allow DHCPv6 renew" dst-address=fc00::/6 dst-port=546 in-interface=wan protocol=udp src-address=fc00::/6 add chain=input comment="allow lan" in-interface=lan add action=reject chain=input comment="reject everything else" reject-with=icmp-port-unreachable
One of the common questions I get is what is the difference between Masquerade and SRC-NAt? Which should I use?
The quick answer is to use SRC-NAT if your gateway IP is static, and use masquerade if it can change.
The Mikrotik Wiki Entry
Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short – when public IP is dynamic.
Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.
Looking to recover a password from a Mikrotik backup? Tools to encrypt/decrypt and pack/unpack RouterOS v6.13+ backup files. One of the reasons a strong password is important.
https://github.com/BigNerd95/RouterOS-Backup-Tools/blob/master/README.md
https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Protected_bootloader
This is a new feature which allows the protection of RouterOS configuration and files from a physical attacker by disabling etherboot. It is called “Protected RouterBOOT”. This feature can be enabled and disabled only from within RouterOS after login, i.e., there is no RouterBOOT setting to enable/disable this feature. These extra options appear only under certain conditions. When this setting is enabled – both the reset button and the reset pin-hole is disabled. Console access is also disabled. The only ability to change boot mode or RouterBOOT settings is through RouterOS. If you do not know the RouterOS password – only a complete format is possible.
Recently I had a customer call and was missing some tools like “Ip Scan” and others under tools. They had forgotten to add in the “advanced tools” package. Sometimes this is not default. You have to manually add it in.
From the latest Mikrotik newsletter
Scenario
You have a customer with a Mikrotik router that needs a port forwarded to an internal IP address. In our case, a customer has a camera that communicates on port 80 with a static IP add of 192.168.21.49 on their internal LAN.
Solution
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.21.49 to-ports=80
Recently there has been some activity on integration with LetsEncrypt and Mikrotik. WHile Mikrotik does not directly support Letsencrypt directly yet, you can make it work with this setup
https://github.com/gitpel/letsencrypt-routeros
From the GitHub Page:
While not perfect is a start.
While troubleshooting an issue this morning I went to upgrade the routerboard firmware on a CCR after bringing it up to 6.42. The upgrade-firmware now appears to match with the router-os version.
/system routerboard print
routerboard: yes
model: CCR1016-12S-1S+
firmware-type: tilegx
factory-firmware: 3.22
current-firmware: 3.41
upgrade-firmware: 6.42
Now, if Mikrotik would just provide release notes on the routerboard firmware in a handy place.
You must be logged in to post a comment.