RouterOS Howto (1) - Part 3
This is Part 3 of the RouterOS Howto for MikroTik hEX S.
Configure the WAN
Documentation:
- RouterOS manual [EN]
[RouterOS CLI]: Remove the WAN interfaces (ether1 & sfp1) from any bridges or interface lists, remove all DHCP clients from these interfaces and remove the VLAN interfaces
:foreach path in={
"ip dhcp-client"; "interface bridge port"; "interface list member";
"interface vlan";
} do={
[:parse "/$path remove [find interface~\"^ether1\" or interface~\"^sfp1\"]"]
[:parse "/$path print detail"]
}
for Init7
[RouterOS CLI]: Add the WAN interfaces to the interface list WAN
/interface list member
:foreach interface in={"ether1"; "sfp1"} do={
add list="WAN" interface="$interface"
}
print detail
[RouterOS CLI]: Configure DHCP clients for the WAN interfaces
/ip dhcp-client
:foreach interface in={"ether1"; "sfp1"} do={
add interface="$interface" add-default-route="yes" use-peer-dns="no" \
use-peer-ntp="no" dhcp-options="" disable="no"
}
print detail
for Wingo
[RouterOS CLI]: Define the VLAN ID and the interface name suffix
:global vlan "10"
:global suffix "vlan$vlan"
[RouterOS CLI]: Configure VLAN interfaces on the WAN interfaces (ether1 & sfp1)
/interface vlan
:foreach interface in={"ether1"; "sfp1"} do={
add name="$interface-$suffix" loop-protect="on" vlan-id="$vlan" \
interface="$interface" disable="no"
}
print detail
[RouterOS CLI]: Add the VLAN interfaces to the interface list WAN
/interface list member
:foreach interface in={"ether1"; "sfp1"} do={
add list="WAN" interface="$interface-$suffix"
}
print detail
[RouterOS CLI]: Configure DHCP clients for the VLAN interfaces
/ip dhcp-client
:foreach interface in={"ether1"; "sfp1"} do={
add interface="$interface-$suffix" add-default-route="yes" \
use-peer-dns="no" use-peer-ntp="no" dhcp-options="" disable="no"
}
print detail
Configure the DHCP server
Documentation:
- RouterOS manual [EN]
[RouterOS CLI]: Remove any DHCP servers, DHCP networks, static IP addresses & IP address pools
/ip dhcp-server
remove [find]
print detail
/ip dhcp-server network
remove [find]
print detail
/ip dhcp-server lease
remove [find]
print detail
/ip pool
remove [find]
print detail
LAN-STD-GW
[RouterOS CLI]: Configure a IP address pool
/ip pool
add name="lan-std-pool1" ranges="192.168.1.240/28"
print detail
[RouterOS CLI]: Configure a DHCP networks
/ip dhcp-server network
add address="192.168.1.0/24" gateway="192.168.1.1" domain="raysoft.loc" \
dns-server="192.168.1.65,192.168.1.1" ntp-server="192.168.1.1"
print detail
[RouterOS CLI]: Remove any DHCP servers & configure a new one
/ip dhcp-server
add name="lan-std-dhcp" disabled="no" interface="bridge1-vrrp1" lease-time="1h" \
server-address="192.168.1.1" address-pool="lan-std-pool1"
print detail
Round up
[RouterOS CLI]: Configure static IP addresses for certain MAC addresses
/ip dhcp-server lease
remove [find]
...
add address="192.168.1.33" mac-address="XX:XX:XX:XX:XX:XX" \
comment="caesium (Surveillance camera): WiFi"
add address="192.168.1.129" client-id="aluminium-eth" \
comment="aluminium (Mac mini): Ethernet"
add address="192.168.1.131" client-id="copper-eth" \
comment="copper (MacBook Pro): Ethernet"
add address="192.168.1.132" client-id="copper-wifi" \
comment="copper (MacBook Pro): WiFi"
...
print detail
[RouterOS CLI]: Monitor the DHCP logs
/log print follow where topics~"^dhcp"
Configure the DNS server
Documentation:
- Public DNS [EN] @ SWITCH
- Download Roots/CRL [EN] @ QuoVadis
- RouterOS manual [EN]
[RouterOS CLI]: Configure the DNS server
/ip dns
set servers="9.9.9.9,149.112.112.112" allow-remote-requests="yes" \
cache-max-ttl="10m"
print
[RouterOS CLI]: Remove any static DNS entries & configure new ones
/ip dns static
remove [find name~"raysoft.loc"]
...
add name="tellurium.raysoft.loc" type="A" address="192.168.1.5" \
ttl="1h" comment="Firewall (active)"
add name="palladium.raysoft.loc" type="A" address="192.168.1.6" \
ttl="1h" comment="Firewall (passive)"
add name="argon.raysoft.loc" type="A" address="192.168.1.17" \
ttl="1h" comment="Switch (Office 1)"
add name="radon.raysoft.loc" type="A" address="192.168.1.18" \
ttl="1h" comment="Switch (Office 2)"
add name="titanium.raysoft.loc" type="A" address="192.168.1.21" \
ttl="1h" comment="Printer"
add name="printer.raysoft.loc" type="CNAME" cname="titanium.raysoft.loc" \
ttl="1d" comment="Printer alias"
add name="caesium.raysoft.loc" type="A" address="192.168.1.33" \
ttl="1h" comment="Surveillance camera"
add name="arsenic.raysoft.loc" type="A" address="192.168.1.49" \
ttl="1h" comment="Server"
add name="indium.raysoft.loc" type="A" address="192.168.1.52" \
ttl="1h" comment="Server"
...
print detail without-paging where name~"raysoft.loc"
Configure the DNS forwarder using DNS over HTTPS (DoH)
[RouterOS CLI]: Delete old certificates, download new ones, import them & delete the file
/certificate remove [find name~"^cacert.pem"]
/tool fetch url="https://curl.se/ca/cacert.pem"
/file print
/certificate
import file-name="cacert.pem" passphrase=""
print where common-name="DigiCert Global Root CA"
/file
remove "cacert.pem"
print
[RouterOS CLI]: Configure DoH
/ip dns
set use-doh-server="https://dns.switch.ch/dns-query" verify-doh-cert="yes"
print
[RouterOS CLI]: Test the name resolution
:put [:resolve "raysoft.ch"]
[RouterOS CLI]: Monitor the DNS logs
/log print follow where topics~"^dns"
Configure the NTP server & client
Documentation:
- RouterOS manual [EN]
[RouterOS CLI]: Configure the NTP client
/system ntp client
set enabled="yes" mode="unicast" \
servers="0.ch.pool.ntp.org,1.ch.pool.ntp.org,2.ch.pool.ntp.org"
print
[RouterOS CLI]: Configure the NTP server
/system ntp server
set enabled="yes" broadcast="no" manycast="yes" multicast="no"
print
[RouterOS CLI]: Redirect Apple’s NTP requests to the local server
/ip dns static
:foreach domain in={
"time-ios.apple.com"; "time-ios.g.aaplimg.com"; "time-osx.g.aaplimg.com";
"time.apple.com"; "time.asia.apple.com"; "time.euro.apple.com";
} do={
add name="$domain" type="CNAME" cname="ntp.raysoft.loc" \
ttl="1d" comment="Redirect NTP requests from Apple devices"
}
print detail where name~"^time"
[RouterOS CLI]: Monitor the logs
/log print follow where topics~"system" and message~"^NTP"
Configure PXE
Documentation:
- RouterOS manual [EN]
[RouterOS CLI]: Define environment
:global imageName "netboot.xyz.kpxe"
:global cardName "mircosd1"
[RouterOS CLI]: Download the netboot image
/file remove [find name~"$imageName"]
/tool fetch dst-path="$cardName/$imageName" \
url="https://boot.netboot.xyz/ipxe/$imageName"
/file print
[RouterOS CLI]: Configure TFTP server
/ip tftp
add real-filename="$cardName" ip-address="192.168.1.0/24" allow="yes" \
read-only="yes"
print detail
[RouterOS CLI]: Configure DHCP server
/ip dhcp-server network
set [find] boot-file-name="$imageName" next-server="192.168.1.1"
print detail
[RouterOS CLI]: Monitor the TFTP logs
/log print follow where topics~"tftp"
Configure Graphing
Documentation:
- RouterOS manual [EN]
[UNIX shell]: Define environment
- for tellurium.raysoft.loc
host_name='tellurium'
- for palladium.raysoft.loc
host_name='palladium'
[RouterOS CLI]: Configure Graphing
:foreach graph in={"interface"; "queue"; "resource"} do={
[:parse "/tool graphing $graph add disabled=\"no\""]
[:parse "/tool graphing $graph print detail"]
}
[macOS shell]: Open Graphing using Firefox
open -a 'Firefox' "https://${host_name}.raysoft.loc/graphs/"
References
- ↑ 1.0 1.1 ISC Support: “Why does DHCP use raw sockets?”, https://kb.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html (15.08.2018)