Normal MikroTik settings?

M

mihanickq2019-05-11 02:10:42

Mikrotik

mihanickq, 2019-05-11 02:10:42

Need tips and tricks in setting up the MikroTik Hap Lite router, because. I'm not good at this and set it up according to manuals from the Internet. There are a couple of computers on the network, an IP camera, a NAS server with a VPN server installed on it.
Such a config:

# may/11/2019 01:40:30 by RouterOS 6.42.7
# software id = TM8N-V2AS
#
# model = RB941-2nD
# serial number = 9D74091AC52C
/interface bridge
add admin-mac=B8:69:F4:93:95:5A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=ukraine disabled=no distance=indoors frequency=2437 mode=\
    ap-bridge ssid=qwerty wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=404058545 use-peer-dns=yes user=95_fhiusdfsoi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=85464655 \
    wpa2-pre-shared-key=848465465
/ip pool
add name=dhcp ranges=192.168.231.100-192.168.231.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.231.254/24 comment=defconf interface=ether2 network=\
    192.168.231.0
/ip arp
add address=192.168.231.197 interface=bridge mac-address=54:C4:15:2E:BA:FC
add address=192.168.231.200 interface=bridge mac-address=00:11:32:15:DF:87
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.231.197 client-id=1:54:c4:15:2e:ba:fc mac-address=\
    54:C4:15:2E:BA:FC server=defconf
/ip dhcp-server network
add address=192.168.231.0/24 comment=defconf gateway=192.168.231.254 netmask=\
    24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.231.254 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.231.0/24
add action=netmap chain=dstnat comment=Hikvision dst-port=554 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.231.197 to-ports=554
add action=netmap chain=dstnat comment=Synology in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.231.200
add action=netmap chain=dstnat comment="Synology VPN" in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.231.200
/ip service
set winbox address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Kiev
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

At the same time, tell me what it means in the logs:

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Diman89, 2019-05-11
@Diman89

If in doubt - the default configuration is quite working and tolerable - use it by adjusting it for yourself

V

Vladimir Zhurkin, 2019-05-18
@icCE

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.231.0/24
add action=netmap chain=dstnat comment=Hikvision dst-port=554 in-interface=\
pppoe-out1 protocol=tcp to-addresses= 192.168.231.197 to-ports=554
add action=netmap chain=dstnat comment=Synology in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.231.200
add action=netmap chain=dstnat comment="Synology VPN" in -interface=pppoe-out1 \
protocol=udp to-addresses=192.168.231.200

If you read that netmap is an improved version of port forwarding from the famous Habr article, then I advise you to read not articles, but documentation.
netmap is needed for communication between two networks with the same addressing.
Further, if your ports or address match, then you do not need to specify it for reassignment. If the port is 554, then it will be redirected to 554 anyway, why do this twice in fact? The same with IP.
I would not put a camera or other such things face on the Internet, unless of course you care that at one fine moment they can look at you.
It's better to set up a VPN.
Otherwise, it seems like a standard config, as far as you could quickly look with your eyes.

A

Alexander Karabanov, 2019-05-11
@karabanov

Something like this https://www.youtube.com/watch?v=wGDTWaDL8jc