Router - RouterOS and Routerboard: Difference between revisions

From AAISP Support Site
No edit summary
 
(Removed line which should have been removed from example!)
Line 59: Line 59:
add action=drop chain=forward comment="Drop the rest" disabled=no
add action=drop chain=forward comment="Drop the rest" disabled=no
add action=accept chain=output disabled=no
add action=accept chain=output disabled=no
add action=accept chain=input comment="REMOVE FROM EXAMPLE" disabled=no
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no

Revision as of 16:31, 25 Ocak 2011

Overview

Here we will build a basic configuration for RouterOS. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.

With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to and including 3.17 or version 5.xbeta onwards.

We have an AAISP ADSL line with the following details:

  • Username= abc@a.1
  • Password=secret
  • Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
  • Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::1/64 to the router)

Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (rfc5737 and rfc3849). Also note that A&A supply a /48 block of IPv6s by default and this example will only use the first /64 in this block.

Default Config

This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Further, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'.

Configuring Initial Basic Settings

Set a password for the admin user:

/user set admin password=NEWPASSWORD

Define which services we want to run:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=no port=22
set www-ssl disabled=yes
set api disabled=yes
set winbox disabled=no port=8291

And then which helpers we want. Usually you want none as they tend to get in the way!

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

Set IP addresses on LAN

/ip address add \
  address=192.0.2.1/28 \
  broadcast=192.0.2.15 \
  disabled=no \
  interface=ether2 \
  network=192.0.2.0
/ipv6 address add \
  address=2001:db8::1/64 \
  advertise=yes \
  disabled=no \
  eui-64=no \
  interface=ether2

Set basic firewalling (all out, none in!)

/ip firewall filter
  add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=forward comment=ICMP disabled=no protocol=icmp
  add action=drop chain=forward comment="Drop the rest" disabled=no
  add action=accept chain=output disabled=no
  add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=input comment=ICMP disabled=no protocol=icmp
  add action=drop chain=input comment="Drop the rest" disabled=no

/ipv6 firewall filter
  add action=accept chain=forward disabled=no in-interface=ether2
  add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=forward comment=ICMP disabled=no protocol=icmpv6
  add action=drop chain=forward comment="Drop the rest" disabled=no
  add action=accept chain=output disabled=no
  add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
  add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6
  add action=drop chain=input comment="Drop the rest" disabled=no

Then create the profile to use for PPPoE.

/ppp profile add \
  change-tcp-mss=yes \
  name=aaisp \
  only-one=yes \
  use-compression=default \
  use-encryption=default \
  use-ipv6=yes \
  use-mpls=no \
  use-vj-compression=default

Create the PPP interface.

/interface pppoe-client add \
  ac-name="" \
  add-default-route=no \
  allow=pap,chap,mschap1,mschap2 \
  dial-on-demand=no \
  disabled=no \
  interface=ether1 \
  max-mru=1492 \
  max-mtu=1492 \
  mrru=disabled \
  name=AAISP \
  password=secret \
  profile=aaisp \
  service-name="" \
  use-peer-dns=no \
  user=abc@a.1

This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS:

/ip dns set \
  allow-remote-requests=yes \
  cache-max-ttl=1w \
  cache-size=2048KiB \
  max-udp-packet-size=512 \
  servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021

And then configure routing:

/ipv6 route add \
  disabled=no \
  distance=1 \
  dst-address=::/0 \
  gateway=AAISP \
  scope=30 \
  target-scope=10
/ip route add \
  disabled=no \
  distance=1 \
  dst-address=0.0.0.0/0 \
  gateway=AAISP \
  scope=30 \
  target-scope=10

Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.

Then, make sure IPv6 neighbour detection is configured properly.

/ipv6 nd remove [find]
/ipv6 nd add \
  advertise-dns=yes \
  advertise-mac-address=yes \
  disabled=no \
  hop-limit=64 \
  interface=ether2 \
  managed-address-configuration=no \
  mtu=1492 \
  other-configuration=no \
  ra-delay=3s \
  ra-interval=3m20s-10m \
  ra-lifetime=30m \
  reachable-time=unspecified \
  retransmit-interval=unspecified

Set the time:

/system ntp client set \
  enabled=yes \
  mode=unicast \
  primary-ntp=90.155.53.32
/system clock set time-zone-name=Europe/London

Next Steps, Bonding a Second Line

To be continued.....