Router - RouterOS and Routerboard: Difference between revisions

From AAISP Support Site
(Changed ROS versions required.)
No edit summary
Line 1: Line 1:
= Overview =
= Overview =
Here we will build a basic configuration for RouterOS. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.


Here we will build a basic configuration for RouterOS. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.
With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to and including 3.17 or version 5.0rc7 onwards.

With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to and including 3.17 or version 5.0rc7 onwards.


We have an AAISP ADSL line with the following details:
We have an AAISP ADSL line with the following details:


*Username= abc@a.1
*Username= abc@a.1
*Password=secret
*Password=secret
*Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
*Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
*Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::/64 to the router)
*Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::/64 to the router)


Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (rfc5737 and rfc3849). Also note that A&A supply a /48 block of IPv6s by default and this example will only use the first /64 in this block.
Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (rfc5737 and rfc3849). Also note that A&A supply a /48 block of IPv6s by default and this example will only use the first /64 in this block.


= Default Config =
= Default Config =


This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Further, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'.
This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Further, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'.


= Configuring Initial Basic Settings =
= Configuring Initial Basic Settings =


Set a password for the admin user:
Set a password for the admin user:
<pre>/user set admin password=NEWPASSWORD</pre>
<pre>/user set admin password=NEWPASSWORD</pre>
Define which services we want to run:
Define which services we want to run:
<pre>/ip service
<pre>/ip service
set telnet disabled=yes
set telnet disabled=yes
Line 29: Line 30:
set www-ssl disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api disabled=yes
set winbox disabled=no port=8291</pre>
set winbox disabled=no port=8291</pre>
And then which helpers we want. Usually you want none as they tend to get in the way!
And then which helpers we want. Usually you want none as they tend to get in the way!
<pre>/ip firewall service-port
<pre>/ip firewall service-port
set ftp disabled=yes
set ftp disabled=yes
Line 37: Line 38:
set h323 disabled=yes
set h323 disabled=yes
set sip disabled=yes
set sip disabled=yes
set pptp disabled=yes</pre>
set pptp disabled=yes</pre>
Set IP addresses on LAN
Set IP addresses on LAN
<pre>/ip address add \
<pre>/ip address add \
address=192.0.2.1/28 \
address=192.0.2.1/28 \
Line 50: Line 51:
disabled=no \
disabled=no \
eui-64=no \
eui-64=no \
interface=ether2</pre>
interface=ether2</pre>
Set basic firewalling (all out, none in!)
Set basic firewalling (all out, none in!)
<pre>/ip firewall filter
<pre>/ip firewall filter
add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
Line 76: Line 77:
add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6
add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6
add action=drop chain=input comment="Drop the rest" disabled=no</pre>
add action=drop chain=input comment="Drop the rest" disabled=no</pre>
Then create the profile to use for PPPoE.
Then create the profile to use for PPPoE.
<pre>/ppp profile add \
<pre>/ppp profile add \
change-tcp-mss=yes \
change-tcp-mss=yes \
Line 86: Line 87:
use-ipv6=yes \
use-ipv6=yes \
use-mpls=no \
use-mpls=no \
use-vj-compression=default</pre>
use-vj-compression=default</pre>
Create the PPP interface.
Create the PPP interface.
<pre>/interface pppoe-client add \
<pre>/interface pppoe-client add \
ac-name="" \
ac-name="" \
Line 103: Line 104:
service-name="" \
service-name="" \
use-peer-dns=no \
use-peer-dns=no \
user=abc@a.1</pre>
user=abc@a.1</pre>
This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS:
This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS:
<pre>/ip dns set \
<pre>/ip dns set \
allow-remote-requests=yes \
allow-remote-requests=yes \
Line 110: Line 111:
cache-size=2048KiB \
cache-size=2048KiB \
max-udp-packet-size=512 \
max-udp-packet-size=512 \
servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021</pre>
servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021</pre>
And then configure routing:
And then configure routing:
<pre>/ipv6 route add \
<pre>/ipv6 route add \
disabled=no \
disabled=no \
Line 125: Line 126:
gateway=AAISP \
gateway=AAISP \
scope=30 \
scope=30 \
target-scope=10</pre>
target-scope=10</pre>
Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.
Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.


Then, make sure IPv6 neighbour detection is configured properly.
Then, make sure IPv6 neighbour detection is configured properly.
<pre>/ipv6 nd remove [find]
<pre>/ipv6 nd remove [find]
/ipv6 nd add \
/ipv6 nd add \
Line 143: Line 144:
ra-lifetime=30m \
ra-lifetime=30m \
reachable-time=unspecified \
reachable-time=unspecified \
retransmit-interval=unspecified</pre>
retransmit-interval=unspecified</pre>
Set the time:
Set the time:
<pre>/system ntp client set \
<pre>/system ntp client set \
enabled=yes \
enabled=yes \
mode=unicast \
mode=unicast \
primary-ntp=90.155.53.32
primary-ntp=90.155.53.32
/system clock set time-zone-name=Europe/London</pre>
/system clock set time-zone-name=Europe/London</pre>

= Next Steps, Bonding a Second Line =
= Next Steps, Bonding a Second Line =


To be continued.....
To be continued.....

[[Category:Configuring]][[Category:IPv6]][[Category:ADSL]]

Revision as of 16:03, 10 February 2011

Overview

Here we will build a basic configuration for RouterOS. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.

With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to and including 3.17 or version 5.0rc7 onwards.

We have an AAISP ADSL line with the following details:

  • Username= abc@a.1
  • Password=secret
  • Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
  • Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::/64 to the router)

Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (rfc5737 and rfc3849). Also note that A&A supply a /48 block of IPv6s by default and this example will only use the first /64 in this block.

Default Config

This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Further, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'.

Configuring Initial Basic Settings

Set a password for the admin user: 

/user set admin password=NEWPASSWORD

Define which services we want to run: 

/ip service
  set telnet disabled=yes
  set ftp disabled=yes
  set www disabled=yes
  set ssh disabled=no port=22
  set www-ssl disabled=yes
  set api disabled=yes
  set winbox disabled=no port=8291

And then which helpers we want. Usually you want none as they tend to get in the way! 

/ip firewall service-port
  set ftp disabled=yes
  set tftp disabled=yes
  set irc disabled=yes
  set h323 disabled=yes
  set sip disabled=yes
  set pptp disabled=yes

Set IP addresses on LAN 

/ip address add \
  address=192.0.2.1/28 \
  broadcast=192.0.2.15 \
  disabled=no \
  interface=ether2 \
  network=192.0.2.0
/ipv6 address add \
  address=2001:db8::/64 \
  advertise=yes \
  disabled=no \
  eui-64=no \
  interface=ether2

Set basic firewalling (all out, none in!) 

/ip firewall filter
  add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=forward comment=ICMP disabled=no protocol=icmp
  add action=drop chain=forward comment="Drop the rest" disabled=no
  add action=accept chain=output disabled=no
  add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=input comment=ICMP disabled=no protocol=icmp
  add action=drop chain=input comment="Drop the rest" disabled=no

/ipv6 firewall filter
  add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=forward comment=ICMP disabled=no protocol=icmpv6
  add action=drop chain=forward comment="Drop the rest" disabled=no
  add action=accept chain=output disabled=no
  add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6
  add action=drop chain=input comment="Drop the rest" disabled=no

Then create the profile to use for PPPoE. 

/ppp profile add \
  change-tcp-mss=yes \
  name=aaisp \
  only-one=yes \
  use-compression=default \
  use-encryption=default \
  use-ipv6=yes \
  use-mpls=no \
  use-vj-compression=default

Create the PPP interface. 

/interface pppoe-client add \
  ac-name="" \
  add-default-route=no \
  allow=pap,chap,mschap1,mschap2 \
  dial-on-demand=no \
  disabled=no \
  interface=ether1 \
  max-mru=1492 \
  max-mtu=1492 \
  mrru=disabled \
  name=AAISP \
  password=secret \
  profile=aaisp \
  service-name="" \
  use-peer-dns=no \
  user=abc@a.1

This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS: 

/ip dns set \
  allow-remote-requests=yes \
  cache-max-ttl=1w \
  cache-size=2048KiB \
  max-udp-packet-size=512 \
  servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021

And then configure routing: 

/ipv6 route add \
  disabled=no \
  distance=1 \
  dst-address=::/0 \
  gateway=AAISP \
  scope=30 \
  target-scope=10
/ip route add \
  disabled=no \
  distance=1 \
  dst-address=0.0.0.0/0 \
  gateway=AAISP \
  scope=30 \
  target-scope=10

Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.

Then, make sure IPv6 neighbour detection is configured properly. 

/ipv6 nd remove [find]
/ipv6 nd add \
  advertise-dns=yes \
  advertise-mac-address=yes \
  disabled=no \
  hop-limit=64 \
  interface=ether2 \
  managed-address-configuration=no \
  mtu=1492 \
  other-configuration=no \
  ra-delay=3s \
  ra-interval=3m20s-10m \
  ra-lifetime=30m \
  reachable-time=unspecified \
  retransmit-interval=unspecified

Set the time: 

/system ntp client set \
  enabled=yes \
  mode=unicast \
  primary-ntp=90.155.53.32
/system clock set time-zone-name=Europe/London

Next Steps, Bonding a Second Line

To be continued.....

Retrieved from ‘http://support.aa.net.uk/index.php?title=Router_-_RouterOS_and_Routerboard&oldid=537