Basic Mikrotik.pdf

Setting up Internet Access Server on Basis of MikroTik RouterOS

and ISP Billing System NetUP UTM5

Introduction

This article is concerned with setting up an Internet access server on basis of MikroTik

RouterOS. Access server that blocks/unblocks Internet access is also capable to limit the

bandwidth. Internet access is controlled by the firewall by adding/removing rules to the

forward chain. Bandwidth is limited by Simple Queues. For managing an access server

using billing system UTM5 it is used utm5_rfw daemon, which calls auxiliary scripts that

automate connections to the access server via ssh or telnet and run commands at the

server for operating the firewall or simple queues.

Hereinafter we suppose that the access server connects to the local network

192.168.1.0/24 via the Internet (its IP address in the local network is 192.168.1.1, and

subnet mask is 255.255.255.0 or 24 in CIDR notation). An external IP address of the

access server is 172.16.1.1 (mask 255.255.255.0). By default the gateway IP is

172.16.1.254. The billing system UTM5 is installed on the server, the IP address is

192.168.1.10. In order to allow users of the network connecting to the Internet

IP addresses are transmitted to the external IP address of the access server (SNAT). As in

the current configuration the access server also acts as a router, we shall use these two

terms as synonyms.

Configuring the access server

Setting up Mikrotik RouterOS is not at all that complicated and is mentioned at the

following web site H http://www. TU mikro UT tik.com/docs/ros/2.9/guide/basic H

Here we shall review the process of installation from a CD.

Download the CD image from the web site H www. TU mikro UT tik.com H and burn a CD. Place it

in your CD-ROM drive and boot up the computer. Now you need to select necessary

packages. For an Internet access server it’s enough to select system and security .

Press ‘i’ and follow the configurator.

Note

Security package is necessary only to access the router via ssh. If you prefer telnet you

need not to install the security package. If you forget to set it up you may find out how to

install it below in this article.

After installing the Mikrotik OS you should configure the computer in order to make an

access server: set an administrator password, set IP addresses for networking interfaces,

set a default gateway, set DNS addresses, enable SNAT and set default firewall rules.

Warning

If you wish your computer to work for more than 24 hours you should register your OS

version. For registration go to H http://www. TU mikro UT tik.com/docs/ros/2.9/system/license H

Password

After installing Mikrotik OS a user ‘admin’ is created without a password by default. For

setting the password use the command /password .

Setting IP addresses and default gateway

In Mikrotik OS networking interfaces can be configured using one of two methods:

1. Command /setup and follow the instructions on the screen

2. Menu command /ip .

Let’s examine the second method.

In order to set the IP addresses for the interfaces run the following commands:

> /ip address add address=172.16.1.1/24 interface=ether1 comment="INTERNET"

> /ip address add address=192.168.1.1/24 interface=ether2 comment="LAN"

The following command allows to check IP address settings:

> /ip address print

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; INTERNET

172.16.1.1/24 172.16.1.0 172.16.1.255 ether1

1 ;;; LAN

192.168.1.1/24 192.168.1.0 192.168.1.255 ether2

Now set the default gateway:

> /ip route add gateway=172.16.1.254

For viewing the routing information (especially default gateway) use the command

below:

> /ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip,

b - bgp, o - ospf

# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE

0 ADC 172.16.1.0/24 172.16.1.1 ether1

1 ADC 192.168.1.0/24 192.168.1.255 ether2

2 A S 0.0.0.0/0 r 172.16.1.254 ether1

For finishing setting up the network define DNS addresses:

> /ip dns set primary-dns=172.16.1.254

> /ip dns set secondary-dns=172.16.1.253

To check the defined DNS use the command:

> /ip dns print

primary-dns: 172.16.1.254

secondary-dns: 172.16.1.253

allow-remote-requests: no

cache-size: 2048KiB

cache-max-ttl: 1w

cache-used: 16KiB

Check if the settings are correct by the command /ping

SNAT and firewall

In order to allow the users using the Internet their local IP addresses at the external

interface of the router should be translated to the external IP address:

> /ip firewall nat add chain=srcnat src-address=192.168.1.0/24 \

\... out-interface=ether1 action=src-nat to-addresses=172.16.1.1

In order to check the settings of IP address translation, use the following command:

> ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat out-interface=ether1 src-address=192.168.1.0/24

action=src-nat to-addresses=172.16.1.1 to-ports=0-65535

After setting up translation of IP addresses every computer of the local network is

allowed to access the Internet. To manage access of users add the following rules to the

forward chain of the firewall:

> /ip firewall filter add chain=forward action=jump jump-target=utm5_forward

> /ip firewall filter add chain=forward action=drop

The first rule redirects packages from the forward chain to chain utm5_forward. In this

article we add to this chain only the rules that permit Internet access. The second rule

rejects all packets which are explicitly not allowed to pass. After the second rule has been

added Internet access from the local network shall be denied.

Now we have finished configuring the router. The access server is managed by the

utm5_rfw daemon using scripts from the package utm5_mikrotic according to the

commands of the billing system core utm5_core.

Setting up ssh server

Note : If you already have the security package installed skip this section.

SSH server is located in the security package. In order to view all installed packages run

/system package print . If security package is absent from the list of installed packages it

should be installed.

Before installation it is necessary to check the free space /system resource print . To install

the package just download from the web site H www. TU mikro UT tik.com H the following file:

all_packages_2.9.xx.zip , unpack it and load security-2.9.xx.npk to the router via ftp

protocol in the binary mode. Then reboot the access server /system reboot - the package

will be installed while the server is preparing for restart. You can watch the installation

process from the monitor connected to the access server. After rebooting, the installed

packages are reflected in the list /system packages print . Please, draw attention that the

security package must not be disabled.

> /system package print

Flags: X - disabled

# NAME VERSION

SCHEDULED

0 security 2.9.13

1 system 2.9.13

Also make sure that ssh service is not disabled. For this use the command /ip service

print .

Also check the ability of connection to the access server using the SSH client.

Configuring utm5_rfw daemon

Note

Hereinafter it is supposed that you have already configured traffic classes, services and

tariffs. Also it is proposed that the system user rfw has been already created (under this

name utm5_rfw connects to the system core). If you have not yet performed this, use the

UTM5 user’s guide.

Note

In this article utm5_rfw daemon is configured under Gentoo Linux OS . In any other OS

configuring can be accomplished in a similar way.

utm5_rfw daemon may be set up at any server which is able to connect to utm5_core via

tcp protocol. Here it is supposed that utm5_rfw and utm5_core are located at the same

physical server.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: