Home2018-10-07T18:15:00+00:00

Welcome to Mikrotik Examples

Over the last several years it has been difficult as a network administrator to find answers & configuration examples. This site is dedicated to collecting and providing MikroTik configuration examples, scripts, and tools for everyone from the amateur to advanced user. Many of these examples (both brewed in house and collected from around the web) are tested and in production at data centers, WISPs, businesses, and homes.

Looking for something specific that we haven’t covered? Send me an email to mario@aldayuz.com and I would be happy to add it to our example list or point you in the right direction. Feel free to comment with updates or better practices.

Recent MikroTik Examples

MikroTik Cloud Management via AWS & OpenVPN

Looking to manage your MikroTik Router remotely? Having difficulty accessing devices behind a firewall? Here is a really neat tool for aggregating and managing devices via AWS and a Cloud Hosted Router instance.

First, we will start with the server side configuration. It assumes the following:

  • You have a basically configured server side device which can be any of the following:
    • An AWS EC2 RouterOS Cloud Hosted Router (CHR) instance.
    • A RouterOS Cloud Hosted Router (CHR) instance on another x86 platform.
    • A dedicated RouterBoard device with L5-L6 license and Static Public IP.
    • A dedicated RouterBoard device with L5-L6 license and Public IP + DDNS.

The MikroTik Cloud Management Server Configuration

#Create self signed certificates for OpenVPN
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2
/certificate 
sign ca-template ca-crl-host=YOURHOSTORIPADDRESS name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2
#Create OpenVPN Bridge
/interface bridge
add arp=proxy-arp fast-forward=no name=ovpn-bridge
#Set ether1 to Proxy-ARP
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
#Add IP addresses for Core Devices & Customer Routers
/ip address
add address=172.16.112.1/20 interface=ovpn-bridge network=172.16.112.0
add address=172.16.128.1/20 interface=ovpn-bridge network=172.16.128.0
#Create IP pools for core & client devices
/ip pool
add name=ovpn-pool1 ranges=172.16.112.10-172.16.127.253
add name=ovpn-pool2 ranges=172.16.128.10-172.16.143.253
#Create PPP profiles for Customer Routers & Core Devices
/ppp profile
add bridge=ovpn-bridge local-address=ovpn-pool1 name=customer-routers remote-address=ovpn-pool1 use-encryption=yes
add bridge=ovpn-bridge local-address=ovpn-pool2 name=core-devices remote-address=ovpn-pool2 use-encryption=yes
#Enable OpenVPN Server
/interface ovpn-server server
set auth=sha1 certificate=myCa cipher=aes128 default-profile=customer-routers enabled=yes

Create the Individual OpenVPN Remote Access Users

The following values need to be replaced:

  • DEVICEUSERNAME – By default the client configuration script is designed to use the system serial number as the username. It is up to you if you keep that the same, but each device will need to be added via command line or Winbox.
  • DEVICEACCESSKEY – This is either created on a per-device basis or all devices share the same key. It’s personal preference — obviously faster and easier to deploy if all share the same key however it is more secure to each have a unique key.
#Create OpenVPN users
/ppp secret
add name=DEVICEUSERNAME password=DEVICEACCESSKEY profile=core-devices service=ovpn

 

The MikroTik Cloud Management Client Configuration

The following values need to be replaced:

  • SUPERLONGTOUGHTOCRACKKEY – This is either created on a per-device basis or all devices share the same key. It’s personal preference — obviously faster and easier to deploy if all share the same key however it is more secure to each have a unique key.
  • YOUR.CLOUDROUTER.HOSTNAME – This is the hostname/IP address which your client devices will phone home to.

This script assumes the following:

  • $systemhostname – The username for access to the cloud management VPN is created from your RouterBoard serial number. If you’d prefer to have more human readable names you can remove the local value binding and create your own username. I 100% recommend each username be unique and standardized. After having deployed ~1,000 devices I certainly am thankful they are.
#Setup Remote Access OVPN Client
:local systemhostname [:put ([/system routerboard get serial-number]) ]

/terminal style none;
:if ([:tonum [:pick [[system resource get version] 1 1]]]>=6) do={
/ppp profile add name=remote-backend use-encryption=yes;
/interface ovpn-client add name=remote-backend port=1194 mode=ip \
user=$systemhostname password=SUPERLONGTOUGHTOCRACKKEY \
profile=remote-backend certificate=none auth=sha1 \
cipher=aes128 connect-to=YOUR.CLOUDROUTER.HOSTNAME;
} else={
ppp profile add name=remote-backend use-encryption=yes;
/interface ovpn-client add name=remote-backend port=1194 mode=ip \
user=$systemhostname password=SUPERLONGTOUGHTOCRACKKEY \
profile=remote-backend certificate=none auth=sha1 \
cipher=aes128 connect-to=YOUR.CLOUDROUTER.HOSTNAME;
};

#Setup Remote Access OVPN Firewall Rules
/ip firewall filter add src-address=172.16.112.1 dst-port=8728,22,23 chain=input protocol=tcp \
action=accept in-interface=remote-backend place-before=0;
/ip firewall filter add chain=input in-interface=remote-backend connection-state=established \
action=accept place-before=0;
/terminal style none;

 

There are still aspects of this script that I am fine tuning but the principle works. I’m definitely open to improving this so please comment if you have suggestions or trouble implementing.

By |October 7th, 2018|Categories: Cloud Management|Tags: , , , |0 Comments

Restaurant/Retail MikroTik Router Configuration

This script assumes the following:

  • A switch capable of VLAN management / passthrough will be used
    • I recommend a ToughSwitch POE 5-8 Port
  • Access point(s) support multiple SSIDs with VLAN assigment
    • I recommend IgniteNet Spark AC WAVE2

The following values need to be configured:

  • Admin Account
    • YOURUSERNAME – The username for your admin account
    • YOURPASSWORD – The password for your admin account
  • NoIP DDNS Configuration — MikroTik does support their internal DDNS however some prefer external DDNS support as well.
    • YOURNOIPPUSERNAME – The username for your NoIP Account (optional)
    • YOURNOIPPASSWORD – The password for your NoIP Account (optional)
    • YOURNOIPHOSTNAME – The hostname for your NoIP Account (optional)

 

#0.0 This script is intended to be run post reset. Tested and confirmed working on RB3011RM models.
#1.0 Interface & DCHP Client Configuration 
#1.1 Set interface names.
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN-SWITCH
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-MGMT
#1.2 Create DHCP Client
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
#1.3 Create interface bridges.
/interface bridge
add name=1-default-bridge auto-mac=yes 
add name=100-customer-bridge
add name=200-employee-bridge
add name=300-securepos-bridge
#1.4 Create interface VLAN - assign all VLAN to ether2-LAN-SWITCH interface.
/interface vlan
add interface=ether2-LAN-SWITCH name=200-employee-vlan vlan-id=200
add interface=ether2-LAN-SWITCH name=100-customer-vlan vlan-id=100
add interface=ether2-LAN-SWITCH name=300-securepos-vlan vlan-id=300
#1.5 Bridge all VLAN to respective bridge, and ether2-5 to default bridge
/interface bridge port
add  bridge=1-default-bridge interface=ether2-LAN-SWITCH
add  bridge=1-default-bridge interface=ether3-LAN
add  bridge=1-default-bridge interface=ether4-LAN
add  bridge=1-default-bridge interface=ether5-MGMT
add bridge=100-customer-bridge interface=100-customer-vlan
add bridge=200-employee-bridge interface=200-employee-vlan
add bridge=300-securepos-bridge interface=300-securepos-vlan
#2.0 IP Address Configuration
#2.1 Create IP Addresses.
/ip address
add address=10.10.88.1/24 interface=1-default-bridge network=10.10.88.0
add address=10.10.4.1/22 interface=100-customer-bridge network=10.10.4.0
add address=10.10.8.1/22 interface=200-employee-bridge network=10.10.8.0
add address=192.168.100.1/24 interface=300-securepos-bridge network=192.168.100.0
#3.0 Configuration of DCHP Server
#3.1 Create IP Pools for DHCP use.
/ip pool
add name=1-default-pool ranges=10.10.88.10-10.10.88.254
add name=100-customer-pool ranges=10.10.4.4-10.10.7.254
add name=200-employee-pool ranges=10.10.8.3-10.10.11.254
add name=300-securepos-pool ranges=192.168.100.10-192.168.100.253
#3.2 Create DHCP Servers
/ip dhcp-server
add address-pool=1-default-pool disabled=no interface=1-default-bridge name=1-default-dhcp lease-time=24h
add address-pool=100-customer-pool disabled=no interface=100-customer-bridge name=100-customer-dhcp lease-time=24h
add address-pool=200-employee-pool disabled=no interface=200-employee-bridge name=200-employee-dhcp lease-time=24h
add address-pool=300-securepos-pool disabled=no interface=300-securepos-bridge name=300-securepos-dhcp lease-time=24h
#3.3 Create DHCP Networks
/ip dhcp-server network
add address=10.10.4.0/22 gateway=10.10.4.1
add address=10.10.8.0/22 gateway=10.10.8.1
add address=192.168.100.0/24 gateway=192.168.100.254
add address=10.10.88.0/24 gateway=10.10.88.1
#5.0 Firewall Configuration
#5.1 Add default NAT masquerade out ether1-WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
#5.2 Add Basic Firewall rules.
/ip firewall filter
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router" \
    connection-state=new in-interface=ether1-WAN src-address-list=blacklist
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward src-address=8.8.8.8
add action=accept chain=forward src-address=8.8.4.4
add action=drop chain=forward comment="keyword_drop torrent - accidentally blo\
    cks any site referring to torrent in the URL" content=torrent disabled=\
    yes out-interface=ether1-WAN
add action=drop chain=forward comment="trackers_drop - accidentally blocks som\
    e websites containing \"tracker\" in the packet" content=tracker \
    disabled=yes out-interface=ether1-WAN
add action=drop chain=forward comment=get_peers_drop content=getpeers \
    out-interface=ether1-WAN
add action=drop chain=forward comment=info_hash_drop content=info_hash \
    out-interface=ether1-WAN
add action=drop chain=forward comment=announce_peers_drop content=\
    announce_peers out-interface=ether1-WAN
add action=drop chain=forward comment=p2p_drop out-interface=ether1-WAN p2p=\
    all-p2p
#5.3 Block Secure/Employee > Customer
add action=drop chain=forward in-interface=200-employee-bridge out-interface=100-customer-bridge
add action=drop chain=forward in-interface=300-securepos-bridge out-interface=100-customer-bridge
#5.4 Block Customer > Secure/Customer
add action=drop chain=forward in-interface=100-customer-bridge out-interface=200-employee-bridge
add action=drop chain=forward in-interface=100-customer-bridge out-interface=300-securepos-bridge
#5.5 Block Secure > Employee > Secure
add action=drop chain=forward in-interface=200-employee-bridge out-interface=300-securepos-bridge
add action=drop chain=forward in-interface=300-securepos-bridge out-interface=200-employee-bridge
#5.6 Add Layer 7 torrent blocking protocols.
/ip firewall layer7-protocol
add name=commontorrentsites regexp="^.*(get|GET).+(torrent|\\\r\
    \n    piratebay|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|\
    flixflux|\\\r\
    \n    torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|\\\r\
    \n    entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\\\r\
    \n    flixflux|seedpeer|fenopy|gpirate|commonbits).*\\\$"
#6.0 System Scheduler Configuration
#6.1 Add System Scheduler for Spamhaus, DShield, and malc0de.
/system scheduler
add comment="Download spamnaus list" interval=3d name=DownloadSpamhausList \
    on-event=DownloadSpamhaus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:41:00
add comment="Apply spamnaus List" interval=3d name=InstallSpamhausList \
    on-event=ReplaceSpamhaus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:46:00
add comment="Download dshield list" interval=3d name=DownloadDShieldList \
    on-event=Download_dshield policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:51:00
add comment="Apply dshield List" interval=3d name=InstallDShieldList \
    on-event=Replace_dshield policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:56:00
add comment="Download malc0de list" interval=3d name=Downloadmalc0deList \
    on-event=Download_malc0de policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:51:00
add comment="Apply malc0de List" interval=3d name=Installmalc0deList \
    on-event=Replace_malc0de policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:56:00
#6.2 Add System Scripts for Spamhaus, DShield, and malc0de.
/system script
add name=DownloadSpamhaus owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/tool fetch url=\"https://www.mikrotikexamples.com/tools/spamhaus.rsc\" mode=http;\r\
    \n:log info \"Downloaded spamhaus.rsc from Joshaven.com\";\r\
    \n"
add name=ReplaceSpamhaus owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/ip firewall address-list remove [find where comment=\"SpamHaus\"]\r\
    \n/import file-name=spamhaus.rsc;\r\
    \n:log info \"Removed old Spamhaus records and imported new list\";\r\
    \n"
add name=Download_dshield owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/tool fetch url=\"https://www.mikrotikexamples.com/tools/dshield.rsc\" mode=http;\r\
    \n:log info \"Downloaded dshield.rsc from Joshaven.com\";\r\
    \n"
add name=Replace_dshield owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/ip firewall address-list remove [find where comment=\"DShield\"]\r\
    \n/import file-name=dshield.rsc;\r\
    \n:log info \"Removed old dshield records and imported new list\";\r\
    \n"
add name=Download_malc0de owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/tool fetch url=\"https://www.mikrotikexamples.com/tools/malc0de.rsc\" mode=http;\r\
    \n:log info \"Downloaded malc0de.rsc from Joshaven.com\";\r\
    \n"
add name=Replace_malc0de owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/ip firewall address-list remove [find where comment=\"malc0de\"]\r\
    \n/import file-name=malc0de.rsc;\r\
    \n:log info \"Removed old malc0de records and imported new list\";\r\
    \n"
#7.0 Complete miscellaneous actions.
#7.1 Set default DNS to Google DNS Servers
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#7.2 Disable various access services for security purposes.
#7.3 Set system clock.
/system clock
set time-zone-name=America/New_York
#7.4 Change default admin username and password
/user set [find name=admin] name=YOURUSERNAME password=YOURPASSWORD
#7.5 Set device name to serial number
/system identity set name=[/system routerboard get serial-number]
#8.0 Heartbeat & Update Functions
#8.1 No-IP Update Function
/system script add name=no-ip_ddns_update owner=admin policy=write,test,read source="# No-IP automatic Dynamic DNS update\r\
    \n\r\
    \n#--------------- Change Values in this section to match your setup ------------------\r\
    \n\r\
    \n# No-IP User account info\r\
    \n:local noipuser \"YOURNOIPUSERNAME\"\r\
    \n:local noippass \"YOURNOIPPASSWORD\"\r\
    \n\r\
    \n# Set the hostname or label of network to be updated.\r\
    \n# Hostnames with spaces are unsupported. Replace the value in the quotations below with your host names.\r\
    \n# To specify multiple hosts, separate them with commas.\r\
    \n:local noiphost [:put (\"YOURNOIPHOSTNAME.ddns.net\") ] \r\
    \n\r\
    \n# Change to the name of interface that gets the dynamic IP address\r\
    \n:local inetinterface \"ether1-WAN\"\r\
    \n\r\
    \n#------------------------------------------------------------------------------------\r\
    \n# No more changes need\r\
    \n\r\
    \n:global previousIP\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n# Get the current IP on the interface\r\
    \n   :local currentIP [/ip address get [find interface=\"\$inetinterface\" disabled=no] address]\r\
    \n\r\
    \n# Strip the net mask off the IP address\r\
    \n   :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n       :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
    \n           :set currentIP [:pick \$currentIP 0 \$i]\r\
    \n       } \r\
    \n   }\r\
    \n\r\
    \n   :if (\$currentIP != \$previousIP) do={\r\
    \n       :log info \"No-IP: Current IP \$currentIP is not equal to previous IP, update needed\"\r\
    \n       :set previousIP \$currentIP\r\
    \n\r\
    \n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Required since \? is a special character in commands.\r\
    \n       :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$currentIP\"\r\
    \n       :local noiphostarray\r\
    \n       :set noiphostarray [:toarray \$noiphost]\r\
    \n       :foreach host in=\$noiphostarray do={\r\
    \n           :log info \"No-IP: Sending update for \$host\"\r\
    \n           /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuser password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host . \".txt\")\r\
    \n           :log info \"No-IP: Host \$host updated on No-IP with IP \$currentIP\"\r\
    \n       }\r\
    \n   }  else={\r\
    \n       :log info \"No-IP: Previous IP \$previousIP is equal to current IP, no update needed\"\r\
    \n   }\r\
    \n} else={\r\
    \n   :log info \"No-IP: \$inetinterface is not currently running, so therefore will not update.\"\r\
    \n}"
/system scheduler add comment="Update No-IP DDNS" disabled=no interval=5m name=no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test
#Script Finished
:beep frequency=660 length=100ms;
:delay 150ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=510 length=100ms;
:delay 100ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=770 length=100ms;
:delay 550ms;
:beep frequency=380 length=100ms;
:delay 575ms;
#Remove Config Script

 

By |October 7th, 2018|Categories: Quick Config|0 Comments

Mikrotik Transparent Bridge Between (2) Router via EoIP L2 Tunnel

Lets suppose that we want to connect two seperate offices to one single LAN where both offices have an internet connection.

To achieve this we will be doing a EoIP tunnel inside PPTP connection. EoIP is a Mikrotik specific method of bridging ethernet traffic over a routed network. The problem with using EoIP as a “VPN”, is that it is not encrypted. so we will be using a encrypted PPTP tunnel to get over this.

Note that the private ip range will be same on both sides. This is not important for the tunnel to work, but one of the purposes of EoIP is to bridge networks in this way. It should, also, be noted that a DHCP server on either end of the tunnel will be “seen” by equipment at both ends of the tunnel.

First we will first build the PPtP tunnel. We will set the left router (10.1.1.1) as the PPtP server and the right
router (10.2.2.2) as the client.

Left Router:

/interface pptp-server server set enabled=yes
/ppp secret add name=”USERNAME” service=pptp password=”PASS” \
local-address=192.168.10.1 remote-address=192.168.10.2  \
disabled=no

The above configuration is all that is needed on the left router. It should be noted that the IP range I chose for the tunnel is NOT  in the same range as the LAN segments. This is not strictly needed, but it is good network design, since these interfaces will NOT be added to the bridge.

Right Router:

/interface pptp-client
add name=”pptp-tunnel1″ connect-to=10.1.1.1 \
user=”USERNAME” password=”PASS” \
profile=default-encryption add-default-route=no \
disabled=no

This is the full configuration needed for the tunnel on the right router. The profile section is a default setting,
but I generally specify it anyway.

The PPtP tunnel is now set up and you should see the tunnel as running on both ends. You can see the tunnel interface in Winbox under “Interfaces” and “PPP->Interfaces”.

If you wish the see the IP addresses, you can see that under “IP->Addresses”. Now we need to add the EoIP tunnel. This is the same on both ends, with the exception of the IP address we are connecting to

Left Router:

/interface eoip add name=eoiptunnel remote-address=192.168.10.2 \
tunnel-id=101 disabled=no

Right Router:

/interface eoip add name=eoiptunnel remote-address=192.168.10.1 \
tunnel-id=101 disabled=no

It is very important that the tunnel-id parameter be the same on both ends.

Next, we will add the bridge (this is the same on both ends):

/interface bridge add name=bridge1

Next, we set up the bridge ports. We will assume that the LAN side of the Mikrotik routers are the ether2 interface.

/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge port add bridge=bridge1 interface=eoiptunnel

The name eoiptunnel is the “name” parameter we used in the configuration we did above for the tunnel setup. Devices on the right router should use 192.168.1.254 as their default gateway. They will be able to see the 192.168.1.1, but if you use that as a default gateway for these devices, then ALL their traffic will go across the bridge.

This may be what you’re trying to accomplish, but it is important to note this fact.  (Reverse the above for devices on the left router.)

I’ve already mentioned the DHCP server. Note that IP addresses cannot be duplicated on either network.

The EoIP tunnel will act just like a (very long) ethernet cable plugged into a switch at both ends of the tunnel. You are, literally, joining the 2 networks into ONE network.

By |October 5th, 2018|Categories: Specialized|0 Comments

Setting Up IPv6 on MikroTik

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 request=prefix
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge1 advertise=yes
/ipv6 nd
add interface=bridge1 ra-interval=20s-60s
/ipv6 firewall filter
add chain=input action=drop connection-state=invalid comment="Drop (invalid)"
add chain=input action=accept connection-state=established,related comment="Accept (established, related)"
add chain=input action=accept in-interface=ether1 protocol=udp src-port=547 limit=10,20:packet comment="Accept DHCP (10/sec)"
add chain=input action=drop in-interface=ether1 protocol=udp src-port=547 comment="Drop DHCP (>10/sec)"
add chain=input action=accept in-interface=ether1 protocol=icmpv6 limit=10,20:packet comment="Accept external ICMP (10/sec)"
add chain=input action=drop in-interface=ether1 protocol=icmpv6 comment="Drop external ICMP (>10/sec)"
add chain=input action=accept in-interface=!ether1 protocol=icmpv6 comment="Accept internal ICMP"
add chain=input action=drop in-interface=ether1 comment="Drop external"
add chain=input action=reject comment="Reject everything else"
add chain=output action=accept comment="Accept all"
add chain=forward action=drop connection-state=invalid comment="Drop (invalid)"
add chain=forward action=accept connection-state=established,related comment="Accept (established, related)"
add chain=forward action=accept in-interface=ether1 protocol=icmpv6 limit=20,50:packet comment="Accept external ICMP (20/sec)"
add chain=forward action=drop in-interface=ether1 protocol=icmpv6 comment="Drop external ICMP (>20/sec)"
add chain=forward action=accept in-interface=!ether1 comment="Accept internal"
add chain=forward action=accept out-interface=ether1 comment="Accept outgoing"
add chain=forward action=drop in-interface=ether1 comment="Drop external"
add chain=forward action=reject comment="Reject everything else"
By |September 27th, 2018|Categories: IPv6, Routing|0 Comments

Auto Block Common Attackers with dshield, SpamHaus, and malc0de

add chain=input action=drop comment="Drop new connections from blacklisted IP's to this router" 
    connection-state=new src-address-list=blacklist in-interface=ether1-Internet
# Script which will download the drop list as a text file
/system script add name="DownloadSpamhaus" source={
/tool fetch url="https://www.mikrotikexamples.com/spamhaus.rsc" mode=http;
:log info "Downloaded spamhaus.rsc from mikrotikexamples.com";
}

# Script which will Remove old Spamhaus list and add new one
/system script add name="ReplaceSpamhaus" source={
/ip firewall address-list remove [find where comment="SpamHaus"]
/import file-name=spamhaus.rsc;
:log info "Removed old Spamhaus records and imported new list";
}

# Schedule the download and application of the spamhaus list
/system scheduler add comment="Download spamnaus list" interval=3d 
  name="DownloadSpamhausList" on-event=DownloadSpamhaus 
  start-date=jan/01/1970 start-time=04:08:17
/system scheduler add comment="Apply spamnaus List" interval=3d 
  name="InstallSpamhausList" on-event=ReplaceSpamhaus 
  start-date=jan/01/1970 start-time=04:13:17
# Script which will download the drop list as a text file
/system script add name="Download_dshield" source={
/tool fetch url="https://www.mikrotikexamples.com/dshield.rsc" mode=http;
:log info "Downloaded dshield.rsc from mikrotikexamples.com";
}

# Script which will Remove old dshield list and add new one
/system script add name="Replace_dshield" source={
/ip firewall address-list remove [find where comment="DShield"]
/import file-name=dshield.rsc;
:log info "Removed old dshield records and imported new list";
}

# Schedule the download and application of the dshield list
/system scheduler add comment="Download dshield list" interval=3d 
  name="DownloadDShieldList" on-event=Download_dshield 
  start-date=jan/01/1970 start-time=04:18:17
/system scheduler add comment="Apply dshield List" interval=3d 
  name="InstallDShieldList" on-event=Replace_dshield 
  start-date=jan/01/1970 start-time=04:23:17
# Script which will download the malc0de list as a text file
/system script add name="Download_malc0de" source={
/tool fetch url="https://www.mikrotikexamples.com/malc0de.rsc" mode=http;
:log info "Downloaded malc0de.rsc from mikrotikexamples.com";
}

# Script which will Remove old malc0de list and add new one
/system script add name="Replace_malc0de" source={
/ip firewall address-list remove [find where comment="malc0de"]
/import file-name=malc0de.rsc;
:log info "Removed old malc0de records and imported new list";
}

# Schedule the download and application of the malc0de list
/system scheduler add comment="Download malc0de list" interval=3d \
  name="Downloadmalc0deList" on-event=Download_malc0de \
  start-date=jan/01/1970 start-time=04:18:17
/system scheduler add comment="Apply malc0de List" interval=3d \
  name="Installmalc0deList" on-event=Replace_malc0de \
  start-date=jan/01/1970 start-time=04:23:17

Script based on Joshaven Potter’s example http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/

By |September 27th, 2018|Categories: Firewall, Security|0 Comments