Mikrotik

  • Mikrotik Broadband (NZ UFB) Setup

    /interfaceethernet set[finddefault-name=ether1]name=ether1-wan
    /interfacevlanaddinterface=ether1-wan name="Broadband UFB"vlan-id=10
    /pppprofileaddchange-tcp-mss=yesname=ppp-wan
    /interfacepppoe-clientaddadd-default-route=yesdisabled=nointerface="Broadband UFB"keepalive-timeout=disabledname=pppoe-wanpassword=ISP_USER_PASSWDprofile=ppp-wanuse-peer-dns=yesuser=ISP_USER_LOGON
    /ipfirewallservice-portseth323disabled=yes
    /ipfirewallservice-port setsipdisabled=yes   
    /ipdhcp-clientdisable 0
     
    Please Note: The last command above (/ip dhcp-client disable 0) is VERY important.
  • Mikrotik Handy Commands

    /export
    /export file=FILENAME
    /ipfirewallfilterprintall
    /pppactiveprintwithout-pagingterse
     
  • Mikrotik L2TP-IPSec Server

    /pppprofileaddname=ipsec_vpnlocal-address=192.168.11.1dns-server=DNS1,DNS2
    /interfacel2tp-serverserversetenabled=yesdefault-profile=ipsec_vpnauthentication=mschap1,mschap2
    /ipipsecpolicyset[finddefault=yes]src-address=0.0.0.0/0dst-address=0.0.0.0/0protocol=allproposal=defaulttemplate=yes
    /ipipsecpeeraddexchange-mode=mainpassive=yesname=l2tpserver
    /ipipsecidentityaddgenerate-policy=port-overrideauth-method=pre-shared-keysecret="STRONGSECRET1"peer=l2tpserver                   
    /ipipsecproposalset defaultauth-algorithms=sha256,sha1enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp1024
    /pppsecretaddname="USER"password="STRONGSECRET2"service=l2tpprofile=ipsec_vpnremote-address=192.168.11.2                        
    /ipfirewallfilteraddchain=inputaction=acceptprotocol=udpport=1701,500,4500
    /ipfirewallfilteraddchain=inputaction=acceptprotocol=ipsec-esp

    The 192.168.11.x ip addresses are an arbitary, NOT-in-use IP address range for use by the VPN. Remember to add an appropriate route in the connecting user client to get to the 'real/normal' internal network LAN with the gateway being the above specified local-address ip address (in the above case, 192.168.11.1). Each /ppp secret (user login) needs a unique ip address in the same range. 
     
    Move the firewall filter rules to the top (first) of the firewall rules using:  /ip firewall filter print all, /ip firewall filter move from_number to_number.
     
    DNS1,DNS2 are the DNS servers used on the normal LAN - I normally include any LAN server running a DNS server and the gateway router itself. Separate IP addresses with a comma. You can have just one.
     
    STRONGSECRET1 is typically a nice long password.
    STRONGSECRET2 is typically something an end user might know or remember (but not necessarily).
    Remember these DO show up in any 'export'ed file config.