These are my notes on the design and configuration of my home network. They aren’t expected to be of value to anyone other than me. Note that I’m new to MikroTik, so it’s very possible that there are multiple better ways of doing what I’ve done here.

Introduction

I live in a rural area and have been unable to find a WISP that can maintain quality internet service for more than a week or two. I’ve finally given up on them and now get internet service over LTE.

The network architecture is simple, as shown in the diagram that follows. The LTE modem operates in bridge mode, which disables its routing and firewall functionality. It provides a single 100BaseT connection with a default IP address of 192.168.5.1, which I did not modify. This device is named modem.

The MikroTik access point named aprouter is used as an access point, router, firewall, and DHCP server. The WAN side of aprouter has an IP of 192.168.88.2 and the LAN side has an IP of 192.168.88.1. It functions as the gateway for the entire LAN. It is configured to serve IP addresses in the range 192.168.88.100-199 to DHCP wireless clients.

The servers are in a separate building and connect to aprouter via a 5GHz MikroTik AP in bridge mode named bridge.

bridge is connected via Cat6 to a MikroTik router named switch, which is configured as a switch with lan address of 192.168.88.9.

The servers are connected router via Cat6. IP addresses on the servers are all statically assigned.

The remainder of this note documents how the network devices are configured.

Basic MikroTik / RouterOS Information

MikroTik (MT) equipment runs RouterOS (ROS) which provides a uniform interface that is easy to administer/configure. These are a few tips to remember.

• The MikroTik Wiki is here.

• As described here, MT devices can be managed via: a web interface, a Windows app named ‘Winbox’, which also works under Wine on Linux/MacOS, and ssh.

• All MT routers are pre-configured with 192.168.88.1/24 on the eth1 port. The default username is admin with no password. Here is general information on securing your router.

• General notes on configuration management for MT devices is here.

• Tips on using the ROS console.

• All of these MikroTik devices run RouterOS (ROS). The configuration of ROS can be dumped into and ASCII file at any time and downloaded. I have found a handy technique to be:

  • Dump and download default configuration.
  • Experiment with configuration changes via one of the GUI interfaces.
  • Dump and download final configuration.
  • Use diff to see which commands need to be executed at the ROS commandline to create the final configuration from scratch.
  • Of course, the configuration files can be put under version control.

Bandwidth Testing

RouterOS includes software for use in bandwidth testing. To use it, choose two devices: a client and a server. By default, all RouterOS devices are configured to act as a server. Use the GUI to access the RouterOS Client, then navigate to ‘Tools->BandwidthTest’. Enter the IP address of the server and the user/password, then click ‘Start’. Enjoy the graph. This can also be done from the command line, sans the graphs.

LTE Modem Configuration

The LTE Modem is a Netgear LB112. Configuration of modem is trivial.

Create a wired connection to modem from a PC. Browse to http://192.168.5.1. Configure the modem in bridge mode. The WAN side of modem will have whatever IP is assigned to it by the carrier. The default IP of LAN side of modem will be 192.168.5.1. Note that when aprouter is configured, we will assign it a WAN IP of 192.168.5.2. In other words, the LAN between modem and aprouter will be 192.168.5.0/24 and will only have two IP addresses on it.

Note that putting modem in bridge mode disables NAT, firewall, etc. The NAT, firewall, etc., services this network uses will be provided by aprouter. The related software in the MikroTik hardware is far more sophisticated than that of the LB112.

The modem configuration can be downloaded for later use, but the configuration is trivially easy and not worth the extra steps.

Basic MikroTik RouterOS Configuration Management

One reason I like MikroTik devices so much is that much of the configuration management is handled identically across all devices. This section contains information on how to perform a few such common tasks.

Configure ROS Security

I use a common security configuration across all MT devices. Don’t run these commands now; they will be referred to from later sections in these notes.
The first steps in configuring a default device are:

1. ssh into the default configuration:

   $ ssh admin@192.168.88.1

   The ROS command prompt will appear.

2. If you wish to view the default configuration, enter the following ROS command :

   /system default-configuration 

3. Enter the following ROS commands (cut/paste) to implement basic security:

   # Overwrite the default 'admin' user with me
   /user set 0 name=khe
   /user set 0 password="LOGINPASSWD"
   
   # Define the local LAN network
   /user set 0 address=192.168.88.0/24
   
   # Disable unused services
   /ip service disable telnet,api,api-ssl
   
   # Only allow management from local addresses
   # Change ssh port to arbitrary unknown port number
   /ip service set ssh port=1924 address=192.168.88.0/24
   /ip service set winbox address=192.168.88.0/24
   /ip service set www address=192.168.88.0/24
   
   # Improve security
   /ip ssh set strong-crypto=yes

After the above commands have been run, administration of the router can only be performed from a local address. Subsequent ssh connections must be made on port 1924, i.e.: ssh -p1924 khe@192.168.88.1.

A good resource on securing the ROS is here.

Backup and Restore

There are two mechanisms that can be used to manage the backup and restore of configurations. The first method, which I term a Full Backup, backs up and restores the entire device configuration. The second method, which I term a Delta Backup, works only with the configuration changes that have been made relative the the default configuration of the device. Neither of these terms are used by MikroTik; I invented them to help me understand the distinctions between the methods. These notes describe both mechanisms.

Full Backup/Restore of Entire Configuration

Full Backup of ROS Configuration

Backups of the entire configuration can be performed and downloaded using the GUI applications via ‘Files->Backup’. This creates a file containing the entire device configuration. Here is how to do it via the command line:

1. Make a full backup, creating a file ending in .backup, which is stored on the device:

   $ ssh khe@192.168.88.1 -p 1924 \
         '/system backup save name=filename dont-encrypt=yes'

2. Download the full backup that was created in the previous step to the local system:

   $ ftp khe@192.168.88.1:filename.backup

Full Restore of ROS Configuration

A previously created full backup file can be uploaded with a GUI application via ‘Files->Upload’ and ‘Files->Restore’. Here is how to do it via the command line:

1. Upload a previously created full backup file named, e.g., approuter-20171208.backup:

   $ echo 'put approuter-20171208.backup' | ftp khe@192.168.88.1

2. Install a full backup file already uploaded to the device:

   $ ssh khe@192.168.88.1 -p 1924 \
         '/system backup save name=approuter-20171208'

Delta Backup/Restore of Configuration

If it is possible to perform delta backups / restores from the GUI, I don’t know how to do it. I only provide information on working with these via the command line.

Delta Backup of ROS Configuration

1. Make a delta backup, creating a file ending in .rsc, which is stored on the device:

   $ ssh khe@192.168.88.1 -p 1924 \
         '/system backup save name=filename dont-encrypt=yes'

2. Download the delta backup that was created in the previous step to the local system:

   $ ftp khe@192.168.88.1:filename.rsc

Delta Restore of ROS Configuration

1. If you are performing a restore of a device, you probably want to first reset the device to its default settings:

   $ ssh khe@192.168.88.1 -p 1924 \
         '/system reset-configuration'

   reset-configuration automatically creates a backup of the existing configuration prior to reset, unless specifically told not to.

   Remember that, after doing this, the default user will be admin with no password. Don’t set a device to its default configuration while it is still exposed to the internet.

   Also, there is a keep-users option to reset-configuration, which preserves existing users and passwords.

2. Upload a previously created delta backup file named, e.g., approuter-20171208.rsc:

   $ echo 'put approuter-20171208.rsc | ftp admin@192.168.88.1

3. Install a delta backup file already uploaded to the device:

   $ ssh admin@192.168.88.1 -p 1924 \
         '/system backup save name=approuter-20171208'

Wireless AP / Router Configuration

The Wireless AP / Router is a MikroTik wAP ac. It has both 2GHz and 5GHz radios and also contains a MikroTik RouterBoard running RouterOS.

The default WLAN IP address for aprouter is 192.168.88.1. I do not change this.

Perform the configuration steps in Configure ROS Security. Recall that all subsequent ssh connections must be made to port 1924 with username khe.

The following two subsections describe how to configure aprouter using two different methods: GUI and commandline.

Configuration Via GUI

The next steps in configuration can be performed using either the web UI or Winbox. Browse to http://192.168.88.1 or use Winbox, choose ‘Quick Set’ to configure the following:

1. ‘Quick Set’ mode to ‘Home AP Dual’.

2. For both 2GHz and 5GHz:

    SSID         Haven
    Password     SECRETPASSWD

3. Create a guest network:

    SSID         HavenGuest
    Password     SECRETPASSWD

4. Configure the WAN (‘Internet’):

    Address Acquisition   Static
    IP Address            192.168.5.2
    Netmask               255.255.255.0(/24)
    Gateway               192.168.5.1
    DNS Server            8.8.8.8
    DNS Server            8.8.4.4

5. Configure the LAN (‘Local Network’):

    IP Address            192.168.88.1
    Netmask               255.255.255.0(/24)
    DHCP Server           enabled
    DHCP Server Range     192.168.88.100-192.168.88.199
    NAT                   enabled

6. Click ‘Apply Configuration’.

   When this is complete, there will be four different WLANs: Haven (2GHz), Haven (5GHz), HavenGuest (2GHz), HavenGuest (5GHz). Note that since the 2GHz and 5GHz WLANs have the same SSID, they will only appear once in the list of choices shown on any WiFi client. A network user will simply choose (e.g.) Haven, and their system will automatically choose the supported/best radio to use. This also means that clients supporting both 2GHz and 5GHz will automatically switch back and forth between them, depending upon which will provide the best performance. This configuration hides the 2GHz/5Ghz choice from users while giving them the benefit of both.

7. Leave the setup wizard offered by ‘Quick Set’ by clicking on ‘WebFig’. WebFig provides access to all of the settings on the device. In WebFig, navigate to ‘System->Identity’ and enter the device’s name: aprouter, then click ‘Apply’.

Configuration Via Commandline

To be provided.

Configure DNS Via Commandline

Add selected local hosts to the static DNS configuration with these ROS commands:

/ip dns static add address=192.168.5.1    name=modem
/ip dns static add address=192.168.88.1   name=aprouter
/ip dns static add address=192.168.88.9   name=switch
/ip dns static add address=192.168.88.5   name=bridge

Backup or Restore the Configuration

Follow the steps described in Backup and Restore manage backing up and restoring the device configuration.

Wireless Bridge Configuration

The servers connect to the LAN via a MikroTik OmniTik 5GB Access Point / Router named bridge, which is configured as a bridge to aprouter.

1. Perform the steps in Configure ROS Security.

2. Using a GUI:

   1. Use the ‘Quick Set’ wizard to change these settings, then click ‘Apply Configuration’:

       Quick Set             CPE
       Mode                  Bridge
       Address Acquisition    Static
       IP Address            192.168.88.5
       Netmask               255.255.255.0(/24)
       Router Identity       bridge

   2. Change to ‘WebFig’ mode.

   3. Create a wireless security profile with the settings necessary to connect to approuter by going to ‘Wireless->SecurityProfile’ and entering these settings, then clicking ‘Apply’:

       Name                   haven
       Mode                   dynamic keys
       Authentication Types   WPA/PSK, WPA2/PSK
       WPA Pre-Shared Key     SECRETPASSWD
       WPA2 Pre-Shared Key    SECRETPASSWD

   4. Go to ‘Wireless->Interfaces’, enter these settings, then click ‘Apply’:

       Mode                  station pseudobridge
       SSID                  Haven
       Security Profile      haven

   5. Navigate to ‘IP->DHCPServer’ and disable the DHCP Server.

   6. Navigate to ‘IP->DHCPClient’ and disable DHCP on all interfaces.

   7. Navigate to ‘IP->DNS’ and set the Server to 192.168.88.1.

   8. ‘IP-Firewall’ and disable all rules.

Static IP

I want to be able to control bandwidth by IP, particularly to the Roku box. To do that easily, the Roku needs a static IP. When the Roku is on the network, winbox:IP->DHCPServer. Double click the entry for the Roku, then click ‘Make Static’. Close the window then double click on the Roku entry again to see the change (i.e., the UI is not updated dynamically).

http://networkingforintegrators.com/2012/08/dhcp-reservations/

IKEv2/IPsec VPN - PSK

Configuration using pre-shared key. Only works with macOS, as far as I know. Taken from: http://tikdis.com/mikrotik-routeros/configurating-routeros/vpn/

[khe@aprouter] > /ip pool add name=VPN ranges=192.168.88.200-192.168.88.210
[khe@aprouter] > /ip ipsec mode-config add name=cfg1 system-dns=yes address-pool=VPN address-prefix=32
[khe@aprouter] > /ip ipsec peer add enc-algorithm=aes-256,aes-128 exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=yes secret=720ScenicDriveJCTX