Configure Mikrotik Firewall

[Colette]

Howeverwhen I add these details to the mikrotik router it still does not get any internet access. I have setup the NAT rule for masquerade but still no internet access. Does someone know what step I am missing or can someone please guide me on doing this setup from scratch? I cant seem to find a google result that explains it in a way I can understand.

The RB951G-2HnD is a wireless SOHO Gigabit AP with a new generation Atheros CPU and more processing power. It has five Gigabit Ethernet ports, one USB 2.0 port and a high power 2.4GHz 802.11b/g/n wireless AP with antennas built in.

In comparison with previous model RB751G-2HnD, it has more powerful 600Mhz CPU (instead of 400Mhz), more RAM - 128MB instead of 64MB, same form factor and price. The device is very small and will look good in any home or office, wall mounting anchor holes are provided.

You should use the RB951G-2HnD IP address as a gateway IP address in DHCP and not point to your old firewall if you want to remove that appliance. User machines would then need to release and renew their IP address (to get the new setting).

I understand your point about it not being a firewall router as we usually use either SME or Untangled for our firewall boxes. I just find it strange that it refused to get internet access. Also I am testing internet from the mikrotik itself, not devices connected to the mikrotik so it wont have anything to do with its local network settings.

Try to troubleshoot next time you test:

Does it ping the IPS router? If you traceroute to internet (8.8.8.8) does it go via the ISP router? does it drop after that?

Did you put the default route in the Mikrotik correctly?

Once the Mikrotik can ping the IPS router and traceroute past it to the internet then you will need to configure lan access: a LAN subnet, a NAT rule for the LAN subnet and dhcp with dns server settings etc.

Mikrotik has a reputation for making highly configurable routers but they also have a higher degree of difficultly in that configuration. Setting a router up for the first time can be a bit intimidating if you have never seen anything like this before.

Rather I will point you to the resources I used to get where I got. I should also mention that my router is configured as a wifi access point and is located behind an OPNsense firewall on a VLAN port. My whole point was to make a guest network that cannot communicate with my primary network. And I have succeeded in that endeavor.

If you right click on the file there is a download option so you can store it off of the router. This is an easy way to recover from a disaster. Backups before and after you do stuff is always recommended.

Removed my main Netgear XR700 router and replaced it with the Mikrotik router now that it is all setup. There are frequent discussions about the range of Mikrotik routers however, mine has more range than the Netgear which costs a heck of a lot more. It occupies a lot less real estate and has a lot less flashing lights. I have 400GB download speed and Speediest says my speed quite a ways away and a wall or two in between the router is about 230GB. Conversely, my Netgear router was usually around 120GB down or so. Impressive.

My yard shed has 2 lasers that are on WiFi, a laptop, and two Shelly IoT switches. The shed is a fair distance from the house and all devices have a good signal. It was slightly spotty on the Netgear router.

You could plug the router into one of those Kill-a-watt measuring devices. that will let you know your current draw. Short of that look at the brick and assume about 80% of the current draw, worst case.

A network device is a hardware or software component that facilitates the transfer of data and information between nodes within a network. Common types of network devices include routers, switches, hubs, modems, access points, and firewalls.

Without adequate safeguards, network devices become vulnerable entry points for malicious actors to gain unauthorized access to systems, orchestrate data breaches, or cause network disruptions. As such, safeguarding network devices through robust security measures, regular updates, and vigilant monitoring is imperative to maintaining the integrity and reliability of both local and global networks.

Rsyslog is a preinstalled utility in Ubuntu 22.04 for receiving syslog events. The following section shows the steps for enabling Rsyslog on the Ubuntu endpoint and configuring the Wazuh agent to send the syslog log data to the Wazuh server.

1. Paste the following code snippet at the bottom of the /etc/rsyslog.conf file on the Ubuntu endpoint. This code enables the UDP port 514 to listen for syslogs and adds a location to store the security events:

In this scenario, we configure the MikroTik router to send syslog messages remotely to the Wazuh agent using port 514. Perform the following configuration using the MikroTik Winbox tool on a Windows operating system or the WebUI using the MikroTik device IP address.

We create custom decoders and rules to extract the necessary fields from the MikroTik syslog and generate alerts based on their relevance. Follow the steps below to create custom rules and decoders in the Wazuh server.

Protecting your network devices is paramount to ensuring the integrity of your communication channels. This blog post shows how to achieve this using a MikroTik device as an example. It covers the necessary configurations that allow a MikroTik router to forward logs to your Wazuh server and the Wazuh configuration for triggering MikroTik-related alerts.

The MikroTik RouterOS is very powerful and flexible and is widely used in all kinds of environments from a simple home user network to large enterprise networks. This tutorial is intended to help you understand the MikroTik RouterOS and to show you how to configure a MikroTik router from start to finish with some of the most commonly used settings. Much of the configuration and theory in this tutorial comes from the book RouterOS by Example by Stephen R.W Discher which is an excellent learning tool and companion to anyone beginning to dabble in the MikroTik world. The book can be purchased here: -b2.html

Download WinBox from and save it to you Desktop. Open WinBox by double-clicking it (no installation required) and connect to your router by clicking on the MAC address in the Neighbor tab. Just make sure you are not plugged into port 1 on the router as this becomes the internet port later.

Note: when you click on the MAC address of the device it automatically appears in the Connect To: field. This is the recommended way to connect to a MikroTik device for initial configuration. The default logon credentials are admin (must be lowercase) and no password, therefore leave the password field blank and click on the Connect button.

Create a Bridge:

Go to Bridge and click the plus symbol to create a new bridge, then click OK. This allows us to join the ethernet ports and the WiFi interface/s into our local area network or LAN. In this example we will not add ethernet port 1 as it will become the internet port later. This is sometimes known as the wide area network or the WAN.

With the bridge window still open click on the Ports tab and one at a time add ether2, ether3, ether4, ether5 and any wlan interfaces you have. My router has two wlan interfaces or wireless local area network interfacs. One for 2.4 GHz and one for 5 GHz however yours may have only one wlan interface so just add that one to the bridge.

Create a login password by going to System, Password. Leave Old Password blank as the device currently does not have a password. Enter a secure password under New Password and type the same password under Confirm Password and click Change.

From here on, anytime you connect to the router using WinBox, click the IP address instead of the MAC address and use admin as the username and the password you created above. Both username and password are case sensitive.

To point the router to a public DNS server go to IP, DNS, click the down arrow to the right of the Servers field and type 8.8.8.8 tick Allow Remote Requests so LAN computers can make DNS requests and click OK.

Leave the default values for DHCP Address Space, Gateway for DHCP Network and Addresses to Give Out and type 192.168.100.1 into the DNS Servers field, change the Lease Time to 60 minute and click Next. When the new DHCP Server configuration to complete you will see this message. Click OK to complete the DHCP Server setup.

Double-click wlan1, go to the wireless tab change the Mode to ap bridge, change the Band to 2 GHz-B/G/N, enter your SSID (I used DemoTest) here, under Frequency Mode select regulatory-domain, change the Country to New Zealand and click OK.

If you have wlan2, double click it, go to the wireless tab and enter the following: Mode ap bridge, Band 5 GHz-A/N/AC, SSID whatever you like (I used DemoTest again so both radios use the same WiFi settings), Frequency Mode regulatory-domain and Country to New Zealand then click OK.

With the Wireless Tables window still open go to Security Profiles and click the plus symbol to add a security profile. Under Name type whatever your SSID is, again I used DemoTest so later I can clearly identify the new security profile so I can apply it to the SSID created earlier. Make sure WPA2-PSK is ticked for Authentication Types. Then enter your WiFi password under WPA2 Pre-Shared Key and click OK.

Go to Interfaces, double click wlan1, click the Advanced Mode button on the right then change the Security Profile from default to whatever you named the new security profile then click OK. Again, I used DemoTest for this tutorial.

As mentioned earlier, we will use ethernet port number 1 or ether1 as the port that connects us to the internet. Depending on the arrangement you have with your internet service provider or ISP you may need to enter a static IP address however most residential connections are dynamic. On that basis we will create a DHCP Client so the wide area network or WAN interface can obtain an IP address automatically from your ISP as is the case with most internet connections.

3a8082e126