Category: Mikrotik

Mikrotik DNS Redirect

Recently, we needed to check if any computers inside of a given network were configured to use OpenDNS servers. In our case, the router (10.10.100.1) is acting as a DNS cache and configured to query upstream DNS servers. What we want to do is first catch any internal IP address using OpenDNS IP addresses (208.67.222.222 …

Continue reading

Mikrotik DNS Failover Script

Traditionally, a minimum of two DNS servers are used for any given computer for redundancy. The problem is that Windows computers (and others) will choose the fastest responding server and ignore the order given (primary, secondary, etc.). If we wish to force a primary and only fail over to a secondary, then scripting coupled with …

Continue reading

Dynamic Address Lists Creation with Port Knocking

Port knocking is a technique used to generate or modify firewall rules on the fly based on connections made to specific predetermined ports. Suppose we have a web-facing service (HTTP, DNS, etc.) that we wish to limit access to based on IP addresses. If all of the clients on the Internet side of the router …

Continue reading

Mikrotik Dual WAN Routing – Packet Flow

If we add a second ISP line to our network, we need a couple of mangle entries to keep the traffic flowing in and out the correct interfaces. If we simply add a second WAN connection to the router (in this example we will use eth4), the router may not respond to pings or allow …

Continue reading

Mikrotik 6to4 IPv6 Setup

Today we are looking at how to set up a 6to4 IPv6 tunnel. I will be using  a free service at http://www.tunnelbroker.net as the tunnel broker. Hurricane Electric provides this service along with some other very cool IPv6 tools. They also provide a mini IPv6 certification program to help get people started. There are a few things …

Continue reading

Mikrotik Proxy: Limiting Internet Access

In library environments, we often have a need to limit Internet access on certain computers. One example would be for a dedicated card catalog computer where we do not want patrons using the machine for anything else. In this example, we have a certain computer that will only be allowed to access a card catalog …

Continue reading

Mikrotik VLAN Trunk and Unifi AP

Suppose we have an access point capable of multiple SSID and VLAN. We want to set up an open hotspot for public access on one channel, and a secured channel for staff. For this exercise, we will use a Ubiquiti Unifi AP and set up two WLANs. The first WLAN will be called “Public” and …

Continue reading

Mikrotik Firewall Basic Settings

Out of the box, the RouterOS firewall is pretty lean on rules. The default configuration may have as few as four rules in place, three for accepting traffic (icmp, connected, and related traffic) and one for blocking all other inbound traffic. Depending on how you have configured your Internet access (static IP, PPPoE, etc.), the …

Continue reading

Mikrotik Policy-Based Routing

One of the more interesting features within the RouterOS mangle (packet marking) facility is the ability to mark packets in the pre-routing chain. With this option, we can perform what is called policy-based routing. Suppose we have two WAN (Internet) connections that our LAN clients could potentially use, and that we wish to split the usage such …

Continue reading

Basic RouterOS Traffic Queueing

In this post, we will look at a basic traffic queuing configuration. Our example network will be comprised of two subnets, one for wired computers (staff and patron) and one for wireless computers (accessed via a wireless AP plugged into port 5). Our wired computers will all be within the 192.168.88.0/24 network on port2, and …

Continue reading