I recently replaced my default gateway router with a Mikrotik CRS305-1G-4S+IN. Instead of clickopsing the setup, I decided to use the available cli to script it. Here’s the setup.
If you need to reset the device manually, unplug the device, hold down the reset button while plugging it back in. Hold it until it blinks at you and then release it.
To blow away the existing config and make sure the default config isn’t laid down, here’s the command.
/system reset-configuration no-defaults=yes skip-backup=yesThe default router config sets up on a 192.168.88.1/24 network. I connect to it directly using eth and manually set my ip config to be something like 192.168.88.2 with a subnetmask of 255.255.255.0 and a gateway of 192.168.88.1. I also download Winbox for the administration at https://help.mikrotik.com/docs/spaces/ROS/pages/328129/WinBox
Router Setup
Here’s the full command list on setting up my router.
/interface ethernet set ether1 name=wan
/interface ethernet set sfp-sfpplus1 name=lan1
/interface ethernet set sfp-sfpplus2 name=lan2
/interface ethernet set sfp-sfpplus3 name=lan3
/interface ethernet set sfp-sfpplus4 name=lan4
/ip dhcp-client add interface=wan use-peer-dns=no add-default-route=yes
/ip dns set servers=9.9.9.9,149.112.112.112 allow-remote-requests=yes
/interface bridge add name=bridge1 vlan-filtering=yes
/interface bridge port add bridge=bridge1 interface=lan1 pvid=1
/interface bridge port add bridge=bridge1 interface=lan2 pvid=2
/interface bridge port add bridge=bridge1 interface=lan3 pvid=3
/interface bridge port add bridge=bridge1 interface=lan4
/interface vlan add name=vlan1 interface=bridge1 vlan-id=1
/interface vlan add name=vlan2 interface=bridge1 vlan-id=2
/interface vlan add name=vlan3 interface=bridge1 vlan-id=3
/interface bridge vlan add bridge=bridge1 vlan-ids=1 tagged=bridge1,lan4 untagged=lan1
/interface bridge vlan add bridge=bridge1 vlan-ids=2 tagged=bridge1,lan4 untagged=lan2
/interface bridge vlan add bridge=bridge1 vlan-ids=3 tagged=bridge1,lan4 untagged=lan3
/ip address add address=10.1.0.1/24 interface=vlan1
/ip address add address=10.2.0.1/24 interface=vlan2
/ip address add address=10.3.0.1/24 interface=vlan3
/ip firewall nat add chain=srcnat out-interface=wan action=masquerade
/ip service set api address=10.0.0.0/8,192.168.0.0/16
/ip service set ssh address=10.0.0.0/8,192.168.0.0/16
/ip service set winbox address=10.0.0.0/8,192.168.0.0/16
/ip service set winbox port=8299
/ip service set www address=10.0.0.0/8,192.168.0.0/16
/ip service disable api-ssl
/ip service disable ftp
/ip service disable telnet
/ip service disable www-ssl
/ip firewall raw add chain=prerouting in-interface=wan connection-state=invalid action=drop comment="Drop invalid traffic early"
/ip firewall raw add chain=prerouting in-interface=wan protocol=udp dst-port=53 action=drop comment="Drop all inbound DNS probes"
/ip firewall raw add chain=prerouting in-interface=wan src-address-list=blocked-inbound action=drop comment="Drop IPs in blocklist"
/ip firewall raw add chain=prerouting in-interface=wan protocol=icmp action=drop comment="Drop all unsolicited ICMP (ping) on WAN"
/ipv6 firewall raw add chain=prerouting dst-address=ff02::/16 action=drop comment="Silence IPv6 multicast"
/ipv6 settings set disable-ipv6=yes
/ipv6 firewall raw add chain=prerouting action=drop comment="Drop all IPv6 if unused"
/ip firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid connections"
/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid traffic to router"
/ip firewall filter add chain=output connection-state=invalid action=drop comment="Drop invalid traffic from router"
/ip firewall filter add chain=input in-interface=wan protocol=icmp action=drop comment="Drop ICMP to router (after raw)"
/ip neighbor discovery-settings set discover-interface-list=none
# Add a new admin user and disable the default one
/user add name=newadmin group=full password=yoursecurepassword
/user disable adminI also run a flurry of stuff in my home lab and I will expose it to the interwebs for demos. Here’s the code for that.
/ip firewall nat add chain=dstnat in-interface=wan protocol=tcp dst-port=443 action=dst-nat to-addresses=<mylb> to-ports=443
/ip firewall filter add chain=forward in-interface=wan dst-address=<mylb> protocol=tcp dst-port=443 action=accept