SUBSCRIBE via RSS

HOW-TO: NAT (Network Address Translation) on a Mikrotik Router

Previous articles have discussed the configuration on a Mikrotik Router as I have experienced it -- the initial configuration and succeeding LAN provisions, like DHCP and DNS. I have linked those to the corresponding posts, should you want to check them out. This time, let's outline the internet access side of the configurations.

It is likely that your internet service provider (ISP) will not give you an entire block of IP addresses (otherwise, it will be a very expensive service). They expect you configure some form of network address translation in order to access the internet or traverse to another network. In order to understand the concepts, let us define the two common methods of NAT, which are source NAT (in Mikrotik lingo "srcnat") and destination NAT (in Mikrotik lingo "dstnat"). Just keep in mind that for connections bound to the internet (going out of the network), srcnat is involved; consequently, for connections going in to the local area network, it is dstnat.

NAT in this case does the one-to-many translations. As the traffic passes through the router bound for the internet, the router "masquerades" the IP address of the packet with the public IP address (refer to the initial configuration post) of the router (as additional reading references, you may want to checkout the RFC1918 standard). The router also performs another significant function of tracking the active connections. When inbound packets return, it uses this tracking information to determine the private IP address to forward the packets to.

Having mentioned that, there are two major configuration blocks that need to be added to the Mikrotik router. The NAT part and the firewall forward chain part. At your discretion, you may also want to adjust connection tracking parameters of the router, if the default configuration does not fit.

LAN-to-ISP Network Topology

SRCNAT. First, source NAT or srcnat. Still taking into account the same configuration that we used in the previous articles. Given a static public IP address, srcnat is best deployed.
/ip firewall nat
add action=srcnat chain=srcnat out-interface=ether1 \
 src-address=192.168.1.0/24 to-addresses=1.1.1.2

Another way of configuring this is to use another form of source NAT called "masquerade". Masquerade is a specialized form of srcnat. While srcnat requires a destination IP address, masquerade requires a specific interface and retrieves the IP address assigned to the interface when performing the NAT process. There is an associated overhead to masquerade due to this. Just know that in the absence of a static public IP, masquerade is the solution to go. Masquerade was created to work with dynamic IP addresses on the outbound interfaces.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 \
 src-address=192.168.1.0/24

Given a static public IP address on the outbound interface, both configurations will work. However, it is recommended to use the first configuration to minimize overhead. I have not tested how big the overhead is on my setup but I guess it will vary from setup to setup.

FORWARD chain. The router's built-in firewall needs to be instructed to forward packets NAT'd to the local area network. It needs to accept new connections initiated from the LAN as well.

/ip firewall filter
add chain=forward action=drop comment="DROP invalid packets" connection-state=invalid
add chain=forward action=accept comment="FORWARD packets from LAN" \
 connection-state=related,established

This block of code needs to come after the input chain (router protection).

RELATED: Initial Configuration of a Mikrotik Virtual Router

There you go, after putting the above code in conjuction with the previous configurations done, you will now have a working router able to provide basic network connectivity plus internet access. Next we will discuss quality of service (QoS) or packet prioritization and bandwidth shaping on the Mikrotik router.

HOW-TO: LAN Configuration of a Mikrotik Virtual Router

In the previous article, we discussed about the configuration of the Mikrotik router, with particular focus on connectivity and protection from unauthorized access. This time, we could start with specific services that it will provide to the local area network (LAN).

Configuring on the LAN side, requires that we prevent locking ourselves out of the router while executing changes. What does this mean? Any change that will potentially disconnect us from the router will be blocked. The router is smart enough to figure this out. In the Mikrotik linggo, the term used to refer to this is "safe mode". The name itself is very intuitive!

To enable safe mode, simultaneously press [CTRL]+[X] on the keyboard. The same set of hotkeys used for "cut" to those familiar with the Windows world. Upon enabling safe mode, the terminal prompt changes with the string ‹SAFE› appended to it. You will see that in the screenshot below.

Mikrotik SSH Safe Mode

To release safe mode, the same set of keys are used. Similarly, the prompt returns to normal and it shows that safe mode is no longer in effect.

Mikrotik SSH Safe Mode (Toggle)

Without further ado, let us configure the router to be able to perform DNS lookups for our network. This configuration forwards queries to Google's public DNS servers (8.8.8.8 and 8.8.4.4) at the same time caches the queries in the router's memory. Change the DNS servers to your own if Google's DNS servers are not desired.
/ip dns
set allow-remote-requests=yes cache-size=4098KiB servers=8.8.4.4,8.8.8.8

Next, let us prepare the network segments used on the LAN side by defining an IP pool. This will be used for DHCP services later. Let us assume a segment from 192.168.1.0/24.
/ip pool
add name=POOL1 ranges=192.168.1.11-192.168.1.239

Once the pool is defined, let's use that pool for DHCP services. This is done in two-parts. First, define the network segment.
/ip dhcp-server network
add address=192.168.1.0/24 comment=LOCAL_LAN dns-server=192.168.1.1 \
 domain=pimp-my-rig.local gateway=192.168.1.1 \
 ntp-server=NTP_SVR_IP_HERE wins-server=WINS_SVR_IP_HERE

Second, define the DHCP directive.
/ip dhcp-server
add add-arp=yes address-pool=POOL1 authoritative=yes disabled=no \
 interface=ether3 lease-time=1d name=DHCP1

This configuration will not be complete without assigning the LAN gateway IP address to an existing interface on the router. In this case, it is ether3.
/ip address
add address=192.168.1.1/24 comment=LOCAL_LAN interface=ether3 network=192.168.1.0

At this point, the router is able to provide communication between the devices in the local area network. It will be able to support devices that require dynamic host configuration protocol (or DHCP) for automatic configuration of IP addresses. Internet connectivity could not be established since the RFC1918 addresses (to which the 192.168.0.0/16 network belongs) are non-routable on the internet. What needs to happen is network address translation (or NAT). And the Mikrotik router is just as able to perform this task. We will discuss that in the next article.

RELATED: Initial Configuration of a Mikrotik Virtual Router

For now the router is able to provide network connectivity to hosts within the LAN. It could provide DHCP addresses and cache DNS queries. Please note that all capitalized configuration keywords (e.g. POOL1, DHCP1 and LOCAL_LAN) can be replaced with your own naming convention(s).

ERROR: s3cmd ([Errno 104] Connection reset by peer) Workaround

I use AWS S3 to backup files automatically on my Raspberry PI (let's call it RPI, from here). My RPI does some automation for me on my home network. It has been very sucessful at doing syncs and automated downloads as well backups. The usual target for backups is my NAS but I need to backup the scripts and configuration files as well. When the micro-SD card on the RPI failed, I was grateful that the efforts I initially put in paid off.

If you recall, one of the automated systems I have on my home network is a PVR named sickgear. I was covered on the configuration of its files but I missed its database. Too late for that now, but not entirely too late to solve it.

To remediate, I used a script that called s3cmd (from s3cmd package) on the RPI. The script is a bit simple to implement and the logic is to "touch" an empty file everyime I run the backup job. If the database file is newer than the empty file, then execute the backup.

When I tested the script, I was in for a surprise. The s3cmd implementation on RPI was not working and the error is a mix between:
WARNING: Upload failed: /sickbeard.db ([Errno 104] Connection reset by peer)
WARNING: Retrying on lower speed (throttle=0.0x)
WARNING: Waiting..
 --- OR ---
WARNING: Upload failed: /sickbeard.db ([Errno 32] Broken pipe)
WARNING: Retrying on lower speed (throttle=0.0x)
WARNING: Waiting..

[Errno 104] Connection reset by peer

The error is quite long and eventually fails. It seems to work for small files, but fails as the uploaded files increase in size. The workaround suggested on several forums is to ditch s3cmd and replace it with AWSCLI. Several folks have confirmed that it worked. But I'm not quite inclined to develop several scripts for the workaround. So I continued my experimentation still using s3cmd.

The workaround I discovered was a very simple one. I just replaced the "put" with "sync". For more information on the differences between the two, it is is explained in the s3tools webpage. That is just what I needed.

s3cmd sync successful

As you can see from the above screenshot, the same file uploaded to AWS S3 bucket takes a few seconds to completely upload. No more errors.

RELATED: Install Adblock on Raspberry Pi via Pi-Hole

I hope this workaround helps you as well.

HOW-TO: Initial Configuration of a Mikrotik Virtual Router

This year, I shifted technology specialization away from the infrastructure profession to data science, with more particular focus on data cleansing, mining, and archiving and warehousing. And necessities sometimes require application of my infrastructure background and experience. This is what I like about my new assignment -- never a boring day. Had the chance to work on selection of virtual routers, to which I ended up shortlisting two of them, namely, VyOS and Mikrotik.

Eventually, the pick ended up Mikrotik. And will be posting several notes on my adventure with Mikrotik Virtual Router. For all intents and purposes, this post pertains to VMware setup on x86 architecture. For now let us cover the initial setup.

After downloading the ISO from the Mikrotik website (obtain a license as well), prepare the virtual machine. On mine, I set it up with 2 vCPUs, 512MB of memory and 1GB of disk space. Remove other hardware from the initial configuration (e.g. Floppy Drive, USB ports, etc) that a network router will not have. The setup is pretty straight forward, so let's skip that part and assume it went well.

While on the Mikrotik website, download their utility application called "winbox". This will come in very handy to configure the router.

Other tutorials suggest to rename the network interfaces to WAN and LAN; others, ether1-gateway and ether2-local. On mine, I left them as is. So you don't get confused on my setup, ether1 is facing the ISP (my primary WAN link), ether2 is facing the backup WAN, and ether3 is facing my local area network. Please note that all my network interfaces use the vmxnet3 virtual network cards. You may add as many NICs as you need, but for me this is enough for my requirement.

Your ISP will probably give you both a /30 and /29 IP block. You will need that information. I cannot provide the particulars of my address blocks so for all intents and purposes, let us assume that to be 1.1.1.1/30. To make things easier to interpret, you may plug that information in an IP calculator to obtain more details that need to be added to the router configuration.

IPCALC IP Calculator

Assign that /30 IP address on the Mikrotik router. This is could be done a couple of ways.. First the winbox (GUI) way, IP » Addresses and put the IP address information and set it on interface ether1. Via CLI (terminal on winbox, or telnet, or SSH), /ip address add address=1.1.1.2/30 network=1.1.1.0 comment=WAN-PRI interface=ether1. The router will be reachable at its default address of 192.168.88.1/24 (username is "admin" without a password). Note that 1.1.1.2/30 (address) and 1.1.1.0 (network) were taken from the IP calculator, as seen above.

Next, secure and protect the router from external access by putting a password, turning off unnecessary services and putting firewall rules.

For my setup, I provided a password for admin then limited its access to the console. I created another password-protected username with full admin access but unlike admin its limits allow access from the LAN.
/user set admin password=PASSWORD address=127.0.0.1/32
/user add name=pimp-my-rig password=PASSWORD group=full address=192.168.0.0/16

After setting the admin password, you may choose to disable it. And use another administrative account in its place. Simply append the string "disabled=yes" to the line containing admin. This makes it harder for external hacks to your router especially since it is the router facing your ISP.

Unwanted Services. Access to the router is open by default. It needs lockdown to be secure. I also disabled services that I no longer need. You will see those below with the "disabled=yes" string appended.
/ip service
set telnet address=192.168.0.0/16 disabled=yes
set ftp address=192.168.0.0/16 disabled=yes
set www address=192.168.0.0/16 disabled=yes
set ssh address=192.168.0.0/16
set www-ssl address=192.168.0.0/16 disabled=yes
set api address=192.168.0.0/16 disabled=yes
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16 disabled=yes

Execute a "print" to check the current configuration. You should see something similar.

Mikrotik Router Default Services

Firewall. Extend the protection to the built-in firewall. The rules I used are below.
/ip firewall filter
add chain=input action=tarpit protocol=tcp in-interface=!ether3 \
 comment="TARPIT connections not coming from LAN (ETH3)"
add chain=input action=drop in-interface=!ether3 \
 comment="DROP other traffic not comming from LAN (ETH3)"

Execute a "print" to check the current configuration. You should see something similar.

Mikrotik Router Initial Firewall

Rules are interpreted from top to bottom and the lesser rules there are the faster the router performs. Not to mention lesser resources are consumed. This should be pretty much lockdown the router while it allows configurations and customizations from the console or terminal sessions from the LAN interface. I will post configuration on the LAN side and services like DNS, DHCP, web-proxy and NTP in succeeding articles.

You may also opt to drop external traffic rather than tarpit. For more information regarding the action tarpit, refer to this excellent explanation from Wikipedia.

RELATED: Install Adblock on Raspberry Pi via Pi-Hole

I am a CLI guy so I did my configuration mostly on the command line. Hope this helps you in getting your router up and running.

HOW-TO: Protect Yourself Against Malicious Autorun.INF Code

Laziness has its price.. One brain-child of what I consider laziness is autorun.inf. I call it a vulnerability rather than a feature. This is just my two-cents. The rationale behind this line of reasoning is that, viruses and malicious software take advantage of this so-called feature to install and infect your machine before you are aware it hit you. The actual payload installed varies from viruses to trojans, and likewise the damage it could inflict varies.

The most common mode by which malicious code propagates is by USB flash drives (others call them thumb drives or external storage device). They all mean the same thing. Before viruses, trojans and other malicious software lurking in these devices hit you, do something about it. Protect yourself! Autorun.INF is an inherent security hole that needs to be plugged. And the way circumvent this vulnerability is a simple task to do.

Just so you get an idea what AUTORUN.INF functionality is, whenever you plug an external storage and an application Window automatically opens that is AUTORUN.INF at work. Below is an example of what it looks like. Only that in cases of malicious code, this application Window might or might not be visible.

AUTORUN.INF

The solution to this problem is a registry hack. So before you proceed, ensure you have a backup of your machine. This hack works for me and am confident it works but I will not be held liable for consequences that may arise when you execute this procedure on your machine.

As "Administrator", open the registry editor and go to this key: HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion > IniFileMapping > Autorun.INF. The "Autorun.INF" key does not exist by default, so you have to create it. Change the "(Default)" value to @SYS:XXXXXXX.

IniFileMapping

This simply means instead of looking for Autorun.INF (case-insensitive) on plugged external storage devices, it will look for the string you substituted on after the colon. Now, that is quite difficult to guess than "Autorun.INF".

RELATED: Automatically Disable WIFI on LAN Connectivity

Making your computer a less vulnerable to malicious code will give you confidence in plugging an external storage device from a colleague for whatever purposes you deem necessary.