Categories
DIY

Mikrotik/Mikrotak

Since our last one-side conversation, plenty of different new obstacles appeared and challenged homemade infrastructure, but some of them are accumulated as general term “network issue”. And yes, this post about network from non-network engineer.

It was a while, and here we come again.

Since our last one-side conversation, plenty of different new obstacles appeared and challenged homemade infrastructure, but some of them are accumulated as general term “network issue”. And yes, this post about network from non-network engineer.

Some time ago I decided to jump into magnificent journey called “Microtik” to archive some benefits, that was locked with old Zyxel Keenetik Giga:

  • Speedup VPN, that act as an internet gateway for publishing
  • Use single management interface
  • Natively integrate and route several networks
  • Use Wi-Fi hotspot within the same environment
  • Many others….

It was a plenty of options, but I wanted something 10 Gb, engineering and interesting to implement. Long story short – be afraid of your wishes, as it overcome it.

Beginning

So, one day I got a nice box with some piece of hardware. Nice package, nice vibe of new hardware with some additions, like SPF, that makes everything faster and hotter…

So, after initial setup, that seems to be quite straightforward, results did not overcome expectations, but for sure it was something, that was better old Zyxel. With Wireguard VPN configuration, creation of publication rules and other things to reproduce Keenetic we are ready to go in prod. Seems to be too easy, but no – everything logical, including interface(WinBox (sorry…)), structure and we are good to go.

Initial switchover between router was so smooth, that next Amazon order was hotspots to cover all the Wi Fi dead zones as well as integration with current router.

Plan not failed, but faced physics – 1Gb network interfaces on the hotspots won’t be able to produce 1000000 Gb of throughput as well as magnificent WiFi10. Of course, it’s not a fault of the Mikrotik, it was expected limitation.

And, finally, we are moving, probably to the best and most interesting part – restore.

Blackout

I’ve got feeling that whole world was laughing about this Spanish blackout. From the inside it seemed like a movies back from 90th, or regular USSR evening – all the kids on the streets, playing games, parents in the shop queue. So, quite nice.

But when the power got back (after almost 14 hours) at 3 am magic began. All the servers went back good, storage, VMs, not issues, but Mikrotik refused to run the tunnel.

This article was postponed enough times to go deep into the details, but the reason behind it was about many updates (including configuration) and lack of reboots. Unfortunately, this knowledge took about 10 hours of sleepless troubleshooting to return it back to working configuration.

Blackout issue unveil sad truth of life:

  • UPS need to even in the flat, and you cannot rely on public infrastructure even in city.
  • Regular reboot better to do, even with the network equipment.
  • Power outage is the best time for hardware maintenance.

Lessons learned

Initially this post was planned as a comprehensive guide to setup Mikrotik, but at the end I came to the conclusion that this pleasure should stay with any person, who wants to start doing networking.

But one thing I really want to share: quite generic Mikrotik config, that could help you with configuration(source):

#1 Get your WireGuard connection information from your VPN provider. Here I will be using KeepSolidVPN. Note: if you want to create multiple tunnels please choose a different device for each. If you will get info for tunnel X on device A, and then you create tunnel Y on device A then tunnel X will be deleted by your provider. IPSec in this case is easier.

I have 4 files from VPN provider (each looks like this)

[Interface]PrivateKey = [private key here]ListenPort = 51820Address = [IPaddress]/32DNS = [DNS-IP]

[Peer]PublicKey = [public key here]PresharedKey = [PSK key here]AllowedIPs = 0.0.0.0/0Endpoint = [enpointIP]:51820PersistentKeepalive = 25

#2 Lets set up interface on MT

/interface wireguard add listen-port=51821 mtu=1420 name=KeepSolidVPN-Germany private-key="[private key here – tunnel DE]"

Note: Please use a different ListenPort number than you received from your VPN provider. You can’t have multiple interfaces with same port working at the same time

/interface wireguard add listen-port=51822 mtu=1420 name=KeepSolidVPN-France private-key="[private key here – tunnel FR]"

/interface wireguard add listen-port=51823 mtu=1420 name=KeepSolidVPN-Poland private-key="[private key here – tunnel PL]"

/interface wireguard add listen-port=51824 mtu=1420 name=KeepSolidVPN-UK private-key="[private key here – tunnel UK]"

#3 Lets set up peers on MT

/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=[enpointIP – tunnel DE] endpoint-port=51820 interface=KeepSolidVPN-Germany persistent-keepalive=25s preshared-key="[PSK key here – tunnel DE]" public-key="[public key here – tunnel DE]"

/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=[enpointIP – tunnel PL] endpoint-port=51820 interface=KeepSolidVPN-Poland persistent-keepalive=25s preshared-key="[PSK key here – tunnel PL]" public-key="[public key here – tunnel PL]"

/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=[enpointIP – tunnel UK] endpoint-port=51820 interface=KeepSolidVPN-UK persistent-keepalive=25s preshared-key="[PSK key here – tunnel UK]" public-key="[public key here – tunnel UK]"

/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=[enpointIP – tunnel FR] endpoint-port=51820 interface=KeepSolidVPN-France persistent-keepalive=25s preshared-key="[PSK key here – tunnel FR]" public-key="[public key here – tunnel FR]"

#4 Lets set up IP addresses for each tunnel on MT

/ip address add address=[IPaddress – tunnel DE]/32 interface=KeepSolidVPN-Germany network=[IPaddress – tunnel DE]

/ip address add address=[IPaddress – tunnel PL]/32 interface=KeepSolidVPN-Poland network=[IPaddress – tunnel PL]

/ip address add address[IPaddress – tunnel UK]/32 interface=KeepSolidVPN-UK network=[IPaddress – tunnel UK]

/ip address add address=[IPaddress – tunnel FR]/32 interface=KeepSolidVPN-France network=[IPaddress – tunnel FR]

#5 Create routing tables on MT

/routing table add comment="Table for WireGuard - Poland" disabled=no fib name=wg-pl

/routing table add comment="Table for WireGuard - Germany" disabled=no fib name=wg-de

/routing table add comment="Table for WireGuard - UK" disabled=no fib name=wg-uk

/routing table add comment="Table for WireGuard - France" disabled=no fib name=wg-fr

#6 Lets create routes on MT

/ip route add dst-address=0.0.0.0/0 gateway=KeepSolidVPN-UK routing-table=wg-uk

/ip route add dst-address=0.0.0.0/0 gateway=KeepSolidVPN-France routing-table=wg-fr

/ip route add dst-address=0.0.0.0/0 gateway=KeepSolidVPN-Germany routing-table=wg-de

/ip route add dst-address=0.0.0.0/0 gateway=KeepSolidVPN-Poland routing-table=wg-pl

#7 Lets create masquerades on MT

/ip firewall nat add action=masquerade chain=srcnat out-interface=KeepSolidVPN-Poland

/ip firewall nat add action=masquerade chain=srcnat out-interface=KeepSolidVPN-Germany

/ip firewall nat add action=masquerade chain=srcnat out-interface=KeepSolidVPN-UK

/ip firewall nat add action=masquerade chain=srcnat out-interface=KeepSolidVPN-France

We are ready now for different scenarios

Scenario A – Specific computers are using tunnels exclusively (i.e. Computer X with IP-A is using tunnel-X)

/routing rule add action=lookup disabled=no src-address=IP-A/32 table=wg-uk (Computer with IP-A is sending all its traffic via UK tunnel)

/routing rule add action=lookup disabled=no src-address=IP-B/32 table=wg-de (Computer with IP-B is sending all its traffic via Germany tunnel)

/routing rule add action=lookup disabled=no src-address=IP-C/32 table=wg-fr (Computer with IP-C is sending all its traffic via France tunnel)

/routing rule add action=lookup disabled=no src-address=IP-D/32 table=wg-pl (Computer with IP-D is sending all its traffic via Poland tunnel)

Scenario B – Entire network is using ONE specific tunnel

/routing rule add action=lookup disabled=no src-address=Local-IP(Subnet)/NetSize table=wg-uk

Entire network Local-IP(Subnet)/NetSize (i.e. 192.168.0.0/24 if you have subnet 192.168.0.0 netmask 255.255.255.0) is sending all its traffic via UK tunnel). If you know segmentation with NetSizes you can play it pushing parts of your network to different tunnels. The sky is the limit here.

Scenario C – Same as A but using lists (will be important with Scenario E) (What is good it is much easier to add/remove computers in the lists (rather than create/delete routing rules), also you could disable IPs from the lists and when needed just enable it – good for scripts). Note: LAN is my bridge for all LAN traffic, you can be interface-specific here

/ip firewall address-list add address=IP-A list=local-uk

/ip firewall address-list add address=IP-B list=local-de

/ip firewall address-list add address=IP-C list=local-fr

/ip firewall address-list add address=IP-D list=local-pl

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-PL passthrough=yes src-address-list=local-pl

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-UK passthrough=yes src-address-list=local-uk

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-FR passthrough=yes src-address-list=local-fr

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-DE passthrough=yes src-address-list=local-de

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-DE dst-address-type=!local in-interface=LAN new-routing-mark=wg-de passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-UK dst-address-type=!local in-interface=LAN new-routing-mark=wg-uk passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-FR dst-address-type=!local in-interface=LAN new-routing-mark=wg-fr passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-PL dst-address-type=!local in-interface=LAN new-routing-mark=wg-pl passthrough=no

Scenario D – Traffic to the countries based on their IP addresses. You can use https://mikrotikconfig.com/firewall/ to download IP ranges. Then you need to change list names to be different for each country. Note: LAN is my bridge for all LAN traffic, you can be interface-specific here

Upload file(s) to MT

/import IP-Poland.rsc

/import IP-Germany.rsc

/import IP-France.rsc

/import IP-UK.rsc

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-Poland new-connection-mark=VPN-IP-PL passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-Germany new-connection-mark=VPN-IP-DE passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-UK new-connection-mark=VPN-IP-UK passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-France new-connection-mark=VPN-IP-FR passthrough=yes

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-DE dst-address-type=!local in-interface=LAN new-routing-mark=wg-de passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-UK dst-address-type=!local in-interface=LAN new-routing-mark=wg-uk passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-FR dst-address-type=!local in-interface=LAN new-routing-mark=wg-fr passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-PL dst-address-type=!local in-interface=LAN new-routing-mark=wg-pl passthrough=no

Scenario E – Combination of Scenarios C & D. The way I am doing this here is first there are computers in the network that will use tunnels for their all traffic and then the rest will use traffic based on destination address i.e. computer with IP-A will use exclusively tunnel to the UK, IP-B to Germany, IP-C to France, IP-D to Poland. So if IP is not in the local-xx list then it checks the destination address and route to proper tunnels. If IP is outside any of your lists it will be routed to your Internet connection without using VPN (i.e. in my case it is WAN). Please note that you can't do it any other way (destination and then source) as it does not make sense and would create more issues with proper routing) Note: LAN is my bridge for all LAN traffic, you can be interface-specific here

/ip firewall address-list add address=IP-A list=local-uk

/ip firewall address-list add address=IP-B list=local-de

/ip firewall address-list add address=IP-C list=local-fr

/ip firewall address-list add address=IP-D list=local-pl

Upload file(s) to MT

/import IP-Poland.rsc

/import IP-Germany.rsc

/import IP-France.rsc

/import IP-UK.rsc

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-PL passthrough=yes src-address-list=local-pl

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-UK passthrough=yes src-address-list=local-uk

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-FR passthrough=yes src-address-list=local-fr

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VPN-IP-DE passthrough=yes src-address-list=local-de

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-Poland new-connection-mark=VPN-IP-PL passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-Germany new-connection-mark=VPN-IP-DE passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-UK new-connection-mark=VPN-IP-UK passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=IP-France new-connection-mark=VPN-IP-FR passthrough=yes

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-DE dst-address-type=!local in-interface=LAN new-routing-mark=wg-de passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-UK dst-address-type=!local in-interface=LAN new-routing-mark=wg-uk passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-FR dst-address-type=!local in-interface=LAN new-routing-mark=wg-fr passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=VPN-IP-PL dst-address-type=!local in-interface=LAN new-routing-mark=wg-pl passthrough=no

Aside these configuration, I’d like to share WiFi experience – it’s complicated. Despite the fact, that everything about wireless transmissions is known, seems like in Mikrotik world it’s a different rules. Only way to make it speed and stable, is try and fail approach with KISS principle. Miktotik forum is quite useful in it also.

What’s your Reaction?
+1
0
+1
0
+1
0

By root

In Unix-like computer OSes (such as Linux), root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user). Alternative names include baron in BeOS and avatar on some Unix variants. BSD often provides a toor ("root" written backward) account in addition to a root account.
Regardless of the name, the superuser always has a user ID of 0. The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024.