Track5Wireless: exercises-mikrotik-config.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Style-Type" content="text/css" />
  <meta name="generator" content="pandoc" />
  <title>Mikrotik Config Elements</title>
  <style type="text/css">code{white-space: pre;}</style>
  <link href="data:text/css;charset=utf-8,%0A%0A%0A%0Adiv%23header%2C%20header%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%2Etitle%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%2Eauthor%2C%20%2Edate%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%40media%20print%0A%7B%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0A%0Ah1%2C%20h2%2C%20h3%2C%20h4%2C%20h5%2C%20h6%0A%7B%0Afont%2Dfamily%3A%20%22Helvetica%20Neue%22%2C%20Helvetica%2C%20%22Liberation%20Sans%22%2C%20Calibri%2C%20Arial%2C%20sans%2Dserif%3B%20%0A%0Apage%2Dbreak%2Dafter%3A%20avoid%3B%20%0A%7D%0A%0Adiv%20div%2C%20section%20section%20%0A%7B%0Amargin%2Dleft%3A%202em%3B%20%0A%7D%0Ap%20%7B%7D%0Ablockquote%0A%7B%20font%2Dstyle%3A%20italic%3B%0A%7D%0Ali%20%0A%7B%0A%7D%0Ali%20%3E%20p%20%0A%7B%0Amargin%2Dtop%3A%201em%3B%20%0A%7D%0Aul%20%0A%7B%0A%7D%0Aul%20li%20%0A%7B%0A%7D%0Aol%20%0A%7B%0A%7D%0Aol%20li%20%0A%7B%0A%7D%0Ahr%20%7B%7D%0A%0Asub%20%0A%7B%0A%7D%0Asup%20%0A%7B%0A%7D%0Aem%20%0A%7B%0A%7D%0Aem%20%3E%20em%20%0A%7B%0Afont%2Dstyle%3A%20normal%3B%0A%7D%0Astrong%20%0A%7B%0A%7D%0A%0Aa%20%0A%7B%0A%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0A%40media%20screen%0A%7B%0Aa%3Ahover%0A%7B%0A%0Atext%2Ddecoration%3A%20underline%3B%0A%7D%0A%7D%0A%40media%20print%0A%7B%0Aa%20%7B%0A%0Acolor%3A%20black%3B%0Abackground%3A%20transparent%3B%0A%7D%0Aa%5Bhref%5E%3D%22http%3A%2F%2F%22%5D%3Aafter%2C%20a%5Bhref%5E%3D%22https%3A%2F%2F%22%5D%3Aafter%0A%7B%0A%0Acontent%3A%20%22%20%28%22%20attr%28href%29%20%22%29%20%22%3B%0Afont%2Dsize%3A%2090%25%3B%0A%7D%0A%7D%0A%0Aimg%0A%7B%0A%0Avertical%2Dalign%3A%20middle%3B%0A%7D%0Adiv%2Efigure%20%0A%7B%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0Atext%2Dalign%3A%20center%3B%0Afont%2Dstyle%3A%20italic%3B%0A%7D%0Ap%2Ecaption%20%0A%7B%0A%0A%7D%0A%0Apre%2C%20code%20%7B%0Abackground%2Dcolor%3A%20%23fdf7ee%3B%0A%0A%0A%0Awhite%2Dspace%3A%20pre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Dmoz%2Dpre%2Dwrap%20%21important%3B%20%0Awhite%2Dspace%3A%20%2Dpre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Do%2Dpre%2Dwrap%3B%20%0Aword%2Dwrap%3A%20break%2Dword%3B%20%0A%0A%7D%0Apre%20%0A%7B%0A%0Apadding%3A%200%2E5em%3B%20%0Aborder%2Dradius%3A%205px%3B%20%0A%0Aborder%3A%201px%20solid%20%23aaa%3B%0A%0Amargin%2Dleft%3A%200%2E5em%3B%0Amargin%2Dright%3A%200%2E5em%3B%0A%7D%0A%40media%20screen%0A%7B%0Apre%0A%7B%0A%0Awhite%2Dspace%3A%20pre%3B%0Aoverflow%3A%20auto%3B%0A%0Aborder%3A%201px%20dotted%20%23777%3B%0A%7D%0A%7D%0Acode%20%0A%7B%0A%7D%0Ap%20%3E%20code%2C%20li%20%3E%20code%20%0A%7B%0A%0Apadding%2Dleft%3A%202px%3B%0Apadding%2Dright%3A%202px%3B%0A%7D%0Ali%20%3E%20p%20code%20%0A%7B%0A%0Apadding%3A%202px%3B%0A%7D%0A%0Aspan%2Emath%20%0A%7B%0A%0A%7D%0Adiv%2Emath%20%0A%7B%0A%7D%0Aspan%2ELaTeX%20%0A%7B%0A%7D%20eq%20%0A%7B%0A%7D%20%0A%0Atable%0A%7B%0Aborder%2Dcollapse%3A%20collapse%3B%0Aborder%2Dspacing%3A%200%3B%20%0Aborder%2Dbottom%3A%202pt%20solid%20%23000%3B%0Aborder%2Dtop%3A%202pt%20solid%20%23000%3B%20%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0A%7D%0Athead%20%0A%7B%0Aborder%2Dbottom%3A%201pt%20solid%20%23000%3B%0Abackground%2Dcolor%3A%20%23eee%3B%20%0A%7D%0Atr%2Eheader%20%0A%7B%0A%7D%20tbody%20%0A%7B%0A%7D%0A%0Atr%20%7B%0A%7D%0Atr%2Eodd%3Ahover%2C%20tr%2Eeven%3Ahover%20%0A%7B%0Abackground%2Dcolor%3A%20%23eee%3B%0A%7D%0A%0Atr%2Eodd%20%7B%7D%0Atr%2Eeven%20%7B%7D%0Atd%2C%20th%20%0A%7B%20vertical%2Dalign%3A%20top%3B%20%0Avertical%2Dalign%3A%20baseline%3B%20%0Apadding%2Dleft%3A%200%2E5em%3B%0Apadding%2Dright%3A%200%2E5em%3B%0Apadding%2Dtop%3A%200%2E2em%3B%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0A%0Ath%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%20%7D%0Atfoot%20%0A%7B%0A%7D%0Acaption%20%0A%7B%0Acaption%2Dside%3A%20top%3B%0Aborder%3A%20none%3B%0Afont%2Dsize%3A%200%2E9em%3B%0Afont%2Dstyle%3A%20italic%3B%0Atext%2Dalign%3A%20center%3B%0Amargin%2Dbottom%3A%200%2E3em%3B%20%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0Adl%20%0A%7B%0Aborder%2Dtop%3A%202pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0Aborder%2Dbottom%3A%202pt%20solid%20black%3B%0A%7D%0Adt%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%0A%7D%0Add%2Bdt%20%0A%7B%0Aborder%2Dtop%3A%201pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0A%7D%0Add%20%0A%7B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0Add%2Bdd%20%0A%7B%0Aborder%2Dtop%3A%201px%20solid%20black%3B%20%0A%7D%0A%0Aa%2Efootnote%2C%20a%2EfootnoteRef%20%7B%20%0Afont%2Dsize%3A%20small%3B%20vertical%2Dalign%3A%20text%2Dtop%3B%0A%7D%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%7D%0A%40media%20print%0A%7B%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0Adiv%2Efootnotes%20%0A%7B%0A%7D%0Adiv%2Efootnotes%20li%5Bid%5E%3D%22fn%22%5D%20%0A%7B%0A%7D%0A%0A%40media%20print%0A%7B%0A%2Enoprint%0A%7B%0Adisplay%3Anone%3B%0A%7D%0A%7D%0A" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="header">
<h1 class="title">Mikrotik Config Elements</h1>
<h3 class="date">Wireless Networking</h3>
</div>
<div id="TOC">
<ul>
<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
<li><a href="#connect-to-your-router"><span class="toc-section-number">1.1</span> Connect to your router</a></li>
<li><a href="#reset-your-routers-configuration"><span class="toc-section-number">1.2</span> Reset your router's configuration</a></li>
<li><a href="#configure-a-password"><span class="toc-section-number">1.3</span> Configure a password</a></li>
<li><a href="#disable-insecure-services"><span class="toc-section-number">1.4</span> Disable insecure services</a></li>
<li><a href="#name-your-router"><span class="toc-section-number">1.5</span> Name your router</a></li>
<li><a href="#create-management-interface-assign-an-ip-address"><span class="toc-section-number">1.6</span> Create management interface &amp; assign an ip address</a></li>
<li><a href="#create-management-vlan-attach-it-to-management-interface"><span class="toc-section-number">1.7</span> Create management vlan &amp; attach it to management interface</a></li>
<li><a href="#add-your-ssh-key"><span class="toc-section-number">1.8</span> Add your SSH key</a></li>
<li><a href="#schedule-backups-and-create-a-backup-user"><span class="toc-section-number">1.9</span> Schedule backups and create a backup user</a></li>
<li><a href="#enable-snmp-and-set-up-a-community"><span class="toc-section-number">1.10</span> Enable SNMP and set up a community</a></li>
</ul></li>
</ul>
</div>
<h1 id="introduction"><span class="header-section-number">1</span> Introduction</h1>
<p>This set of exercises will help you learn the basic set of RouterOS commands required to configure and secure your Mikrotik switch or router.</p>
<h2 id="connect-to-your-router"><span class="header-section-number">1.1</span> Connect to your router</h2>
<p>Using your console cable, connect to your RB532 following the instructions from the Wireless Scanning &amp; Antenna Lab.</p>
<h2 id="reset-your-routers-configuration"><span class="header-section-number">1.2</span> Reset your router's configuration</h2>
<p>Since we've used these routers for a few exercises, they are not in their default state. Please reset them to a blank configuration</p>
<pre><code> /system reset-configuration no-defaults=yes</code></pre>
<p>The router will respond with a message:</p>
<pre><code> Dangerous! Reset anyway? [y/N]:
 </code></pre>
<p>Press the <code>&quot;y&quot;</code> key, and the router will re-set. You can watch the console as the router reboots and generates new SSH keys. After a minute or two, the router will allow you to log in again.</p>
<pre><code>MikroTik 6.32.3
MikroTik Login:</code></pre>
<h2 id="configure-a-password"><span class="header-section-number">1.3</span> Configure a password</h2>
<p>A newly re-set Mikrotik router does not have a password. Please change this, so that the Mikrotik uses the classroom default password.</p>
<pre><code>[admin@MikroTik] &gt; /password</code></pre>
<p>The router will respond with:</p>
<pre><code>old-password:</code></pre>
<p>There is no old password, so just hit enter, then type the new password in, and type it in again when you're asked to confirm the password.</p>
<h2 id="disable-insecure-services"><span class="header-section-number">1.4</span> Disable insecure services</h2>
<p>By default, Mikrotik routers allow access via telnet and FTP. As these are insecure protocols offering no protection from eavesdropping, you should disable them.</p>
<pre><code>[admin@Mikrotik] &gt; /ip service set telnet disabled=yes
[admin@Mikrotik] &gt; /ip service set ftp disabled=yes </code></pre>
<p>It's also a good idea to disable HTTP access if you don't absolutely need it.</p>
<pre><code>[admin@Mikrotik] &gt; /ip service set www disabled=yes </code></pre>
<p>You can confirm they are disabled, and view the other access services offered by your router, by typing:</p>
<pre><code>[admin@Mikrotik] &gt; /ip service print</code></pre>
<h2 id="name-your-router"><span class="header-section-number">1.5</span> Name your router</h2>
<p>Administering many routers all named <code>&quot;Mikrotik&quot;</code> would be difficult, so you should name your router.</p>
<pre><code>[admin@Mikrotik] &gt; /system identity set name=</code></pre>
<p>Refer to the suppied network diagram for an appropriate naming convention.</p>
<h2 id="create-management-interface-assign-an-ip-address"><span class="header-section-number">1.6</span> Create management interface &amp; assign an ip address</h2>
<p>Every router should have a management address, but it's not always convenient to assign this address to a fixed physical interface. Creating a management interface that's not bound to a physical interface helps with this problem.</p>
<pre><code> /interface bridge add name=bridge_management disabled=no</code></pre>
<p>Now assign an address to the interface. For this lab, use an address in the same /24 subnet as your Linux virtual machine.</p>
<pre><code>/ip address add address=x.x.x.x/x interface=bridge_management</code></pre>
<p>Refer to the supplied network diagram for an appropriate IP address.</p>
<h2 id="create-management-vlan-attach-it-to-management-interface"><span class="header-section-number">1.7</span> Create management vlan &amp; attach it to management interface</h2>
<p>Management traffic should always be segregated from user traffic! In this lab, every group has been assigned a management vlan, which is presented to your router tagged.</p>
<p>Create a vlan on the interface facing your management network.</p>
<pre><code>/interface vlan add vlan-id=xxxx name=vlan_xxxx interface=xxxxxx disabled=no</code></pre>
<p>Refer to the supplied network diagram for the management vlan you will use.</p>
<p>Now that you've got a management vlan, attach it to the management interface.</p>
<pre><code>/interface bridge port add interface vlan_xxxx bridge=bridge_management disabled=no</code></pre>
<p>From your Mikrotik you should now be able to ping your group's router and your Linux virtual machine.</p>
<h2 id="add-your-ssh-key"><span class="header-section-number">1.8</span> Add your SSH key</h2>
<p>Logging into routers with passwords can be tedious, especially for administrators who frequently connect to Mikrotik's command-line interface via SSH.</p>
<p>Upload your public SSH key to your Mikrotik's management address using <code>scp</code>, the secure copy protocol. Once it's on your router, add it to the admin user:</p>
<pre><code>/user ssh-keys import public-key-file=id_rsa.pub user=admin</code></pre>
<h2 id="schedule-backups-and-create-a-backup-user"><span class="header-section-number">1.9</span> Schedule backups and create a backup user</h2>
<p>It's always a good idea to back up your router's configuration. Wireless radios are often exposed to the elements and have a higher rate of failure than core network elements. Create a backup process that runs every 24 hours.</p>
<pre><code>/system scheduler add name=&quot;backup&quot; on-event=&quot;system backup save name=today.backup&quot; \
start-date=jan/01/1970 start-time=00:00:00 interval=10h comment=&quot;&quot; disabled=no</code></pre>
<p>Now create user that can only read the router's configuration.</p>
<pre><code>/user add group=read name=backup disabled=no password=nsrc+ws</code></pre>
<p>For automated backups, you'll want to create an ssh key pair on your backup server and upload the backup server's public key to the Mikrotik backup user as you did in the step above.</p>
<h2 id="enable-snmp-and-set-up-a-community"><span class="header-section-number">1.10</span> Enable SNMP and set up a community</h2>
<p>We'll use SNMP to gather information about our network, so enable it on your router.</p>
<p>Choose a location name that is as detailed as possible. The naming scheme below uses common location codes to allow us to quickly idenfity the physical location of the device. Remember to use quotes around your location string.</p>
<pre><code>/snmp set enabled=yes contact=netops@your.domain location=&quot;NZL:AKL:CBD:AUT:WG:903&quot;</code></pre>
<p>Mikrotik routers come with a <code>public</code> community by default. Change that community to <code>&quot;NetManage&quot;</code> and restrict access so that only hosts in your management network can make SNMP queries:</p>
<pre><code>/snmp community set public name=NetManage addresses=x.x.x.x/x</code></pre>
</body>
</html>