RouterOS Howto (1) - Part 3
This is Part 3 of the RouterOS Howto for MikroTik hEX S.
Configure the WAN
Documentation:
[RouterOS CLI]: Remove the WAN interfaces (ether1 & sfp1) from any interface bridges or interface lists, remove all DHCP clients from these interfaces and remove the VLAN interfaces
:foreach path in={
"ip/dhcp-client";
"ipv6/dhcp-client";
"interface/bridge/port";
"interface/list/member";
"interface/vlan";
} do={
[:parse "/$path remove [find interface~\"^ether1\" or interface~\"^sfp1\"]"]
[:parse "/$path print detail"]
}
direct
[RouterOS CLI]: Add the WAN interfaces to the interface list WAN
/interface/list/member
:foreach interface in={"ether1"; "sfp1"} do={
add list="WAN" interface="$interface"
}
print detail
[RouterOS CLI]: Configure DHCP clients for the WAN interfaces
/ip/dhcp-client
:foreach interface in={"ether1"; "sfp1"} do={
add interface="$interface" add-default-route="yes" \
use-peer-dns="no" use-peer-ntp="no" dhcp-options="" \
disable="no"
}
print detail
with VLAN
[RouterOS CLI]: Define the VLAN ID and the interface name suffix
:global vlan "10"
:global suffix "vlan$vlan"
[RouterOS CLI]: Configure VLAN interfaces on the WAN interfaces (ether1 & sfp1)
/interface/vlan
:foreach interface in={"ether1"; "sfp1"} do={
add name="$interface-$suffix" loop-protect="on" vlan-id="$vlan" \
interface="$interface" disable="no"
}
print detail
[RouterOS CLI]: Add the VLAN interfaces to the interface list WAN
/interface/list/member
:foreach interface in={"ether1"; "sfp1"} do={
add list="WAN" interface="$interface-$suffix"
}
print detail
[RouterOS CLI]: Configure DHCP clients for the VLAN interfaces
/ip/dhcp-client
:foreach interface in={"ether1"; "sfp1"} do={
add interface="$interface-$suffix" add-default-route="yes" \
use-peer-dns="no" use-peer-ntp="no" dhcp-options="" \
disable="no"
}
print detail
Dynamic DNS
[RouterOS CLI]: Enable the MikroTik proprietary Dynamic DNS
/ip/cloud
set ddns-enabled="yes" ddns-update-interval="300" update-time="no"
print
Configure the DHCP server
Documentation:
[RouterOS CLI]: Remove any DHCP servers, DHCP networks, static IP addresses & IP address pools
:foreach path in={
"ip/dhcp-server";
"ip/dhcp-server/network";
"ip/dhcp-server/lease";
"ip/pool";
"ipv6/dhcp-server";
} do={
[:parse "/$path remove [find]"]
[:parse "/$path print detail"]
}
LAN-STD-GW
[RouterOS CLI]: Configure a IP address pool
/ip/pool
add name="lan-std-pool1" ranges="192.168.1.240/28"
print detail
[RouterOS CLI]: Configure a DHCP networks
/ip/dhcp-server/network
add address="192.168.1.0/24" gateway="192.168.1.1" domain="raysoft.loc" \
dns-server="192.168.1.49,192.168.1.1" ntp-server="192.168.1.1"
print detail
[RouterOS CLI]: Configure a new DHCP server
/ip/dhcp-server
add name="lan-std-dhcp" disabled="no" interface="bridge1-vrrp1" \
server-address="192.168.1.1" address-pool="lan-std-pool1" \
lease-time="1h"
print detail
Round up
[RouterOS CLI]: Configure static IP addresses for certain MAC addresses
/ip/dhcp-server/lease
...
add address="192.168.1.129" client-id="aluminium-eth" \
comment="aluminium (Mac mini): Ethernet"
add address="192.168.1.131" client-id="copper-eth" \
comment="copper (MacBook Pro): Ethernet"
add address="192.168.1.132" client-id="copper-wifi" \
comment="copper (MacBook Pro): WiFi"
add address="192.168.1.133" client-id="boron-wifi" \
comment="boron (iPhone): WiFi"
add address="192.168.1.134" client-id="xenon-wifi" \
comment="xenon (iPad): WiFi"
...
print detail
[RouterOS CLI]: Monitor the DHCP logs
/log print follow where topics~"^dhcp"
Configure the DNS server
Documentation:
[RouterOS CLI]: Configure the DNS server
/ip/dns
set servers="9.9.9.9,149.112.112.112" allow-remote-requests="yes" \
cache-max-ttl="10m"
print
[RouterOS CLI]: Remove any static DNS entries & configure new ones
/ip/dns/static
remove [find name~"raysoft.loc"]
...
add name="aluminium.raysoft.loc" type="A" address="192.168.1.129" \
ttl="1h" comment="Mac Mini: Ethernet"
add name="macmini.raysoft.loc" type="CNAME" cname="aluminium.raysoft.loc" \
ttl="1d" comment="Mac Mini alias"
add name="copper.raysoft.loc" type="A" address="192.168.1.131" \
ttl="1h" comment="MacBook Pro: Ethernet"
add name="macbook.raysoft.loc" type="CNAME" cname="copper.raysoft.loc" \
ttl="1d" comment="MacBook Pro alias"
add name="boron.raysoft.loc" type="A" address="192.168.1.133" \
ttl="1h" comment="iPhone: Wifi"
add name="iphone.raysoft.loc" type="CNAME" cname="boron.raysoft.loc" \
ttl="1d" comment="iPhone alias"
add name="xenon.raysoft.loc" type="A" address="192.168.1.134" \
ttl="1h" comment="iPad: WiFi"
add name="ipad.raysoft.loc" type="CNAME" cname="xenon.raysoft.loc" \
ttl="1d" comment="iPad alias"
...
print detail without-paging where name~"raysoft.loc"
Configure the DNS forwarder using DNS over HTTPS (DoH)
[RouterOS CLI]: Delete old certificates, download new ones, import them & delete the file
/tool/fetch url="https://curl.se/ca/cacert.pem"
/file print
/certificate
remove [find name~"^cacert.pem"]
import file-name="cacert.pem" passphrase=""
print where common-name="DigiCert Global Root CA"
/file
remove "cacert.pem"
print
[RouterOS CLI]: Configure DoH
/ip/dns
set use-doh-server="https://dns.quad9.net/dns-query" \
verify-doh-cert="yes"
print
[RouterOS CLI]: Test the name resolution
:put [:resolve "raysoft.ch"]
[RouterOS CLI]: Monitor the DNS logs
/log print follow where topics~"^dns"
Configure the NTP server & client
Documentation:
[RouterOS CLI]: Configure the NTP client
/system/ntp/client
set enabled="yes" mode="unicast" \
servers="0.ch.pool.ntp.org,1.ch.pool.ntp.org,2.ch.pool.ntp.org"
print
[RouterOS CLI]: Configure the NTP server
/system/ntp/server
set enabled="yes" broadcast="no" manycast="yes" multicast="no"
print
[RouterOS CLI]: Redirect Apple’s NTP requests to the local server
/ip/dns/static
:foreach domain in={
"time-ios.apple.com"; "time-ios.g.aaplimg.com";
"time-osx.g.aaplimg.com"; "time.apple.com";
"time.asia.apple.com"; "time.euro.apple.com";
} do={
add name="$domain" type="CNAME" cname="ntp.raysoft.loc" \
ttl="1d" comment="Redirect [[Network Time Protocol|NTP]] requests from Apple devices"
}
print detail where name~"^time"
[RouterOS CLI]: Monitor the logs
/log print follow where topics~"system" and message~"^NTP"
Configure PXE
Documentation:
[RouterOS CLI]: Define environment
:global imageName "netboot.xyz.kpxe"
:global cardName "mircosd1"
[RouterOS CLI]: Download the netboot image
/file remove [find name~"$imageName"]
/tool/fetch dst-path="$cardName/$imageName" \
url="https://boot.netboot.xyz/ipxe/$imageName"
/file print
[RouterOS CLI]: Configure TFTP server
/ip/tftp
add real-filename="$cardName" ip-address="192.168.1.0/24" allow="yes" \
read-only="yes"
print detail
[RouterOS CLI]: Configure DHCP server
/ip/dhcp-server/network
set [find] boot-file-name="$imageName" next-server="192.168.1.1"
print detail
[RouterOS CLI]: Monitor the TFTP logs
/log print follow where topics~"tftp"
Configure Graphing
Documentation:
[UNIX shell]: Define environment
- for tellurium.raysoft.loc
host_name='tellurium'
- for palladium.raysoft.loc
host_name='palladium'
[RouterOS CLI]: Configure Graphing
:foreach graph in={"interface"; "queue"; "resource"} do={
[:parse "/tool/graphing $graph add disabled=\"no\""]
[:parse "/tool/graphing $graph print detail"]
}
[macOS shell]: Open Graphing using Firefox
open -a 'Firefox' "https://${host_name}.raysoft.loc/graphs/"
References
- ↑ ISC Support: “Why does DHCP use raw sockets?”, https://kb.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html (15.08.2018)
- ↑ ISC Support: “Why does DHCP use raw sockets?”, https://kb.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html (15.08.2018)