This set of exercises will help you learn the basic set of RouterOS commands required to configure and secure your Mikrotik switch or router.
Using your console cable, connect to your RB532 following the instructions from the Wireless Scanning & Antenna Lab.
Since we've used these routers for a few exercises, they are not in their default state. Please reset them to a blank configuration
/system reset-configuration no-defaults=yesThe router will respond with a message:
Dangerous! Reset anyway? [y/N]:
Press the "y" key, and the router will re-set. You can watch the console as the router reboots and generates new SSH keys. After a minute or two, the router will allow you to log in again.
MikroTik 6.32.3
MikroTik Login:A newly re-set Mikrotik router does not have a password. Please change this, so that the Mikrotik uses the classroom default password.
[admin@MikroTik] > /passwordThe router will respond with:
old-password:There is no old password, so just hit enter, then type the new password in, and type it in again when you're asked to confirm the password.
By default, Mikrotik routers allow access via telnet and FTP. As these are insecure protocols offering no protection from eavesdropping, you should disable them.
[admin@Mikrotik] > /ip service set telnet disabled=yes
[admin@Mikrotik] > /ip service set ftp disabled=yes It's also a good idea to disable HTTP access if you don't absolutely need it.
[admin@Mikrotik] > /ip service set www disabled=yes You can confirm they are disabled, and view the other access services offered by your router, by typing:
[admin@Mikrotik] > /ip service printAdministering many routers all named "Mikrotik" would be difficult, so you should name your router.
[admin@Mikrotik] > /system identity set name=Refer to the suppied network diagram for an appropriate naming convention.
Every router should have a management address, but it's not always convenient to assign this address to a fixed physical interface. Creating a management interface that's not bound to a physical interface helps with this problem.
/interface bridge add name=bridge_management disabled=noNow assign an address to the interface. For this lab, use an address in the same /24 subnet as your Linux virtual machine.
/ip address add address=x.x.x.x/x interface=bridge_managementRefer to the supplied network diagram for an appropriate IP address.
Management traffic should always be segregated from user traffic! In this lab, every group has been assigned a management vlan, which is presented to your router tagged.
Create a vlan on the interface facing your management network.
/interface vlan add vlan-id=xxxx name=vlan_xxxx interface=xxxxxx disabled=noRefer to the supplied network diagram for the management vlan you will use.
Now that you've got a management vlan, attach it to the management interface.
/interface bridge port add interface vlan_xxxx bridge=bridge_management disabled=noFrom your Mikrotik you should now be able to ping your group's router and your Linux virtual machine.
Logging into routers with passwords can be tedious, especially for administrators who frequently connect to Mikrotik's command-line interface via SSH.
Upload your public SSH key to your Mikrotik's management address using scp, the secure copy protocol. Once it's on your router, add it to the admin user:
/user ssh-keys import public-key-file=id_rsa.pub user=adminIt's always a good idea to back up your router's configuration. Wireless radios are often exposed to the elements and have a higher rate of failure than core network elements. Create a backup process that runs every 24 hours.
/system scheduler add name="backup" on-event="system backup save name=today.backup" \
start-date=jan/01/1970 start-time=00:00:00 interval=10h comment="" disabled=noNow create user that can only read the router's configuration.
/user add group=read name=backup disabled=no password=nsrc+wsFor automated backups, you'll want to create an ssh key pair on your backup server and upload the backup server's public key to the Mikrotik backup user as you did in the step above.
We'll use SNMP to gather information about our network, so enable it on your router.
Choose a location name that is as detailed as possible. The naming scheme below uses common location codes to allow us to quickly idenfity the physical location of the device. Remember to use quotes around your location string.
/snmp set enabled=yes contact=netops@your.domain location="NZL:AKL:CBD:AUT:WG:903"Mikrotik routers come with a public community by default. Change that community to "NetManage" and restrict access so that only hosts in your management network can make SNMP queries:
/snmp community set public name=NetManage addresses=x.x.x.x/x