1. Routers with mikrotik and Alpine Linux¶
In this lab, a MikroTik router template and another Alpine template will be prepared to be used in the following scenario:
xxxx x xxx
xxx xx
xxxxxxxx xx
┌───────────┐ xx x
│ ROUTER │ xx x
│ default ├───────────xx internet x
│ isard │ xx x
└─────┬─────┘ xxxxxx x
│.1 x xx x x x x x x
│ default network
──┬────────────────┴────────────────────────────
│ 192.168.120.0/22
│
dhcp │.x.y
┌──────┴────────────┐
│ inet │
│ │
│ DESKTOP │dhcp wireguard-vpn network
│ ROUTER ISARD vpn ├───────────────────────────────────────┬────────
│ │.X.Y 10.2.0.0/16 │
│ lan1 │ │.0.1
└──────┬────────────┘ ┌───────┴────────┐
│.1 │ FIREWALL │
│ personal 1 network │ ISARD │
───┴────────┬────────────────────── └──────┬─────────┘
│ 192.168.88.0/24 │
dhcp│.X │
┌──────┴──────┐ ┌┴┐
│ eth0 │ │V│
│ │ │P│
│ DESKTOP │ │N│
│ │ └┬┘
│ internet │ │10.0.X.Y
│ access │ ┌──────────┴──────────┐
│ through │ │ wireguard │
│ personal │ │ │
│ network │ │ MY PC │
│ │ │ with isard user’s │
│ configure │ │ wireguard config │
│ mikrotik │ │ │
└─────────────┘ └─────────────────────┘
Mikrotik RouterOS in IsardVDI¶
We will need a desktop with Mikrotik’s RouterOS operating system to output the internet to a desktop that will connect to the personal network. This router will make NAT "MASQUERADE" towards the Default network (output to the Internet), which means that it will replace the source IP of the internal devices with its own public IP so that they can browse the Internet. You will also have a DHCP server. The router can be accessed through the personal VPN network to be able to configure it more practically from our PC.
This configuration can serve as a basis for other more complex network practices that exist in the following sections.
Create desktop with base routerOS cloning disk from image¶
We create a virtual desktop based on an ISO from the Rescue CD system.
We boot the Rescue CD system.
Once inside the desktop, we make several configurations:
# We change the keyboard to Spanish
setkmap es
# We remove Firewall rules and configure the default policy ACCEPT
# iptables -X: Removes all but default custom rule strings.
# iptables -F: Delete all rules within all strings.
# iptables -P INPUT ACCEPT: Sets the default policy for the INPUT string.
# All incoming connections will be accepted by default
iptables -X; iptables -F; iptables -P INPUT ACCEPT
We verify that there are no Firewall rules left and that the SSH service is listening:
iptables-save
ss -tlnp
# The expected output of these orders is:
[root@sysrescue ~]# iptables-save
*filter
:INPUT ACCEPT [78:13518]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [172:18618]
:LOGDROP - [0:0]
COMMIT
[root@sysrescue ~]# ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=375,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=375,fd=4))
Change root password:
If we want to connect to SSH from our team
If we want to enter the system from our PC, it is enough to access SSH because it does not have a graphical interface. To do this, we can follow this guide: How to establish the user VPN tunnel
We go to the mikrotik website, where we can see the download links of all versions: https://mikrotik.com/download/archive
We look for the most recent stable image, in its img version. It is important that it has this format: chr-VERSIÓ-img.zip. Currently, the last stable is: chr-7.18.2.img.zip.
The download URL for this version is: chr-7.18.2.img.zip
On the same download website, it indicates the sha256 signature of each file (which will vary for each file and version) that will help us to check if the file we will decompress later is authentic. In the case of the file and version that we will use for this practice, the signature is: 5452ab6b298458a3e266e2cdd4cf664cddbe44f5861991843d5924e3fa4d576f
With the following order we observe that we have 4 GB in the temporary directory to download the image:
We can download the file in the /tmp directory and verify the signature:
wget -O /tmp/routeros.img.zip https://download.mikrotik.com/routeros/7.18.2/chr-7.18.2.img.zip
sha256sum /tmp/routeros.img.zip
Once verified that the signature is valid, we decompress the content:
This decompresses a file with a 128M disk image:
[root@sysrescue /tmp]# ls -lh /tmp/*.img
-rw-r--r-- 1 root root 128M Apr 17 13:50 /tmp/chr-7.18.2.img
Now we have to clone this image in the virtual disk /dev/vda:
[root@sysrescue /tmp]# hdparm /dev/vda
/dev/vda:
readonly = 0 (off)
readahead = 256 (on)
geometry = 41610/16/63, sectors = 41943040, start = 0
For this we will use the dd tool:
# if: input file, in this case the disk image file.
# of: output file, in this case is a virtual disk device.
# bs: read and write block size, for large files speeds up the writing that if not by default is done in small blocks.
# status: it tells you that we want to see the progress, useful if the file is very large; in our case, it will be almost instantaneous.
dd if=/tmp/chr-7.18.2.img of=/dev/vda bs=1M status=progress
Now we can turn off the virtual desktop with:
We can now edit the desktop, and prepare it to create a template.
When editing, we modify these parameters:
- vCPUs: we can leave the 2 vCPUs that we had put before.
- Memory (GB): reduce memory to 1 GB.
- Boot: switch de CD/DVD to Hard Disk
- Networks: we can add more or modify them according to what we want to be fixed in the template, then the students can change it when creating the desktop. It is common for the first interface to be the internet output (Default), the second to VPN network access (WireGuardVPN) and the third interface to be connected to the personal network (Personal1).
- Take out ISO from system Rescue CD.
- Optional: we add an image to the card on the desktop.
Once the hardware changes have been made, we convert the desktop into a template, with the following name: routeros 7.18.2
Now we can continue working with our desk, which will now be based on this new template.
Mikrotik initial configuration¶
Once the desk is turned on, it will start with the Mikrotik image and give us access to its command line, as if we had first connected to the router via Telnet or serial port. An output must appear on the screen as in the following image:
We enter with:
-
Login: admin
-
Password: (press enter, as it has no password yet)
The first thing you ask us to do is to register a password. In this case, we will put the usual password of our templates "pirineus". And we access the prompt of mikrotik:
We verify that it has Internet access:
Preparing desktop for SSH connection from our team
If we want to enter the system from our PC, it is enough to access SSH because it does not have a graphical interface. To do this, we can follow this guide: How to establish the user VPN tunnel
Before continuing, we are interested in being able to work more comfortably with a terminal where we can make a copy and pin commands. The viewer, having no graphical interface, does not allow us to use the clipboard between the virtual desktop and our computer.
To do this, the WireGuard VPN interface must be enabled. And tell the router that this interface must get a dynamic IP address for DHCP. The WireGuardVPN network offers a dynamic IP but no gateway by default.
We check that the active interfaces and their corresponding names:
We check that the second interface, that of WireGuardVPN, is called ether2. (depending on the position the interface is at when editing the virtual desktop).
We configure the IP address for DHCP, and wait until you get it:
We check that the IP and routes are correct. He added routing rules so that we can access from our computer through the personal VPN:
In this case, the IP in the ether2 interface is 10.2.239.24.
We should already be able to ping and access SSH from our team.
When connecting for SSH as we previously connected for this same IP to the Rescue CD system, it is likely that a key conflict will appear in de/.ssh/known_hosts, which we can solve by deleting the previous key:
To access, the admin username is used.
The result should be something similar to:
➜ ~ ssh admin@10.2.239.24
The authenticity of host '10.2.239.24 (10.2.239.24)' can't be established.
RSA key fingerprint is SHA256:+xpN6EIEw3LTfCzrmH7VWOwGN1cRqCH4RhaB8LkATEs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.2.239.24' (RSA) to the list of known hosts.
admin@10.2.239.24's password:
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 7.14.3 (c) 1999-2024 https://www.mikrotik.com/
Press F1 for help
[admin@MikroTik] >
And we would already have access to the command line by WireGuardVPN.
Configure internal network with DHCP and VPN server¶
At this point we will configure an internal LAN network where the router will act as a DHCP server and will mask the internet access.
The steps would be:
- Group interfaces in WAN and LAN. ether2 and ether3 belong to the internal/personal network (LAN). And ether1 on the external network, on the exit to the internet (WAN).
# INTERFACES LIST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=ether3 list=LAN # Personal 1 Interface
add comment=defconf interface=ether2 list=LAN # WireguardVPN Interface
add comment=defconf interface=ether1 list=WAN # Default/Internet output Interface.
# NEIGHBOR DISCOVER
# We apply this command so that the hosts of the LAN network can see each other.
/ip neighbor discovery-settings
set discover-interface-list=LAN
- Assign fixed IP to the ether3 interface (The Personal1 interface).
# INTERNAL IP ADDRESS
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether3 network=192.168.88.0
-
DHCP server
-
Create a pool of IP (range of directions).
-
Create a DHCP server with this IP pool.
-
Add configuration to the DHCP server.
-
DNS server
-
Create a DNS server that forwards requests to an external DNS server.
# DNS server # We allow network devices to use the router as a DNS server, and we define the Google DNS server as an external server. /ip dns set allow-remote-requests=yes servers=8.8.8.8 # We assign the domain name "router.lan" for the router IP. /ip dns static add address=192.168.88.1 comment=defconf name=router.lan -
Set up Firewall to mask internet access from the internal network.
# FIREWALL MASQUERADE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipec-policy=out,none \
out-interface-list=WAN
- Restrict access and allow incoming connections by default, only from the internal network (LAN).
# FIREWALL
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipec policy" ipec-policy=in,ipec
add action=accept chain=forward comment="defconf: accept out ipec policy" ipec-policy=out,ipec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
- Rename the router.
- Adjust the clock and time zone.
# We assign the time zone.
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes
# We add IP addresses of time-servers to which the router will connect to synchronize the clock.
/system ntp client servers
add address=213.251.52.234
add address=158.227.98.15
/system clock print
-
Rename interfaces:
-
ether1: inet (internet network Default)
- ether2: vpnisard (WireGuardVPN network to connect to our IsardVDI user VPN file)
-
ether3: lan1 (Personal1 network)
And finally we do backup of the current configuration in case we want to recover it:
We can turn off the router from the inside with this order:
Prepare router configuration as template¶
If we want this configuration to serve as a template, it is not as simple as a Windows or Linux operating system.
RouterOS associates interface configurations to their MAC directions. When cloning the disk, new MAC directions are generated, which causes the configurations previously tested in the interfaces to be disconnected and, therefore, the template does not serve other desktops.
Each desk derived from a template is created with another MAC address on each card, and therefore extra steps must be taken to make the template ready.
We save the configuration in a command list format:
We copy the file locally from our PC or from a virtual desktop with Linux operating system:
We modify the initial.rsc file by adding remove [find] to the DHCP client configuration part, as it automatically creates a DHCP client by default. In the section of the DHCP server configuration of the initial.rsc* file of the router, we have:
We modify this part by:
Now we only have to re-upload the file to the router and overwrite it (it is done directly when naming it with the same name):
Within the router, we can see the list of files and verify that the file has been uploaded correctly by observing the LAST-MODIFIED column (date and time of last modification):
Finally, it remains to be indicated to the router that, when starting for the first time, import the commands of the initial.rsc file.
It will be restarted, and we must log in with the admin / [ENTER] user (no password), as if we were entering the router for the first time.
And lastly, we must repeat the reset of the configuration and that this time it turns off so that we can clone the current state of the router hard drive into a template.
The desktop will be turned off and we can create template with the name router 7.14 inet-vpn-lan.
To verify that the steps of the guide have been completed and everything works properly, it is necessary to create a new test desktop based on this template, since the current one will keep the same MAC directions and will be valid.
We create a desktop with the name test based on the template we just created "router 7.14 inet-vpn-lan*" and check that the configurations made in the router make their effect on the client. If the result is satisfactory, this template is ready to be used in the internship.
Client in the internal network¶
We create a desktop for the client:
- Template: Vitalinux, Ubuntu, Windows (any preference)
- Networks: only a Personal1 Network
If we connect with the SPICE viewer, we can copy and paste the desk using the clipboard.
From inside the desktop client (in this case we use Vitalinux), check the following:
- The first interface (Personal1) acquires IP for DHCP.
ip -c a s ens3
# Expected result
isard@vitalinux:~/Desktop$ ip -c a s ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:75:d3:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.88.254/24 brd 192.168.88.255 scope global dynamic noprefixroute ens3
valid_lft 1581sec preferred_lft 1581sec
inet6 fe80::a8d3:848f:4f11:3ca8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
- We check internet connectivity with ping at 8.8.8.8.
ping -c 1 8.8.8.8
# Expected result
isard@vitalinux:~/Desktop$ ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=15.0 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 15.017/15.017/15.017/0.000 ms
- The DNS configuration is correct.
systemd-resolve --status ens3
# Expected result
isard@vitalinux:~/Desktop$ systemd-resolve --status ens3
Link 2 (ens3)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.88.1
192.168.120.1
DNS Domain: ~.
- It is possible to perform ping in a DNS address (domain name).
ping -c 1 www.google.es
# Expected result
isard@vitalinux:~/Desktop$ ping -c 1 www.google.es
PING www.google.es (216.58.215.163) 56(84) bytes of data.
64 bytes from mad41s07-in-f3.1e100.net (216.58.215.163): icmp_seq=1 ttl=116 time=19.3 ms
--- www.google.es ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 19.352/19.352/19.352/0.000 ms
Use Winbox (graphic tool) to configure Mikrotik from Linux¶
From a client connected to the internal LAN network, we can use the Winbox tool.
To use Winbox on Linux distributions, we will need the Wine package, which allows you to boot certain applications compiled for Windows into Linux. It is possible that for some Linux distributions it is already installed.
We can download Winbox from the mikrotik website or from terminal:
And we start it with the order:
If it is the first time we start Wine, some messages may appear requesting the installation of additional elements. These can be ignored, as they are not necessary for the Winbox tool to work.
We arrive at a screen like the one in the image, where to enter we have to fill the boxes with the router IP and the password:
Additional settings for the Winbox experience
We can download the desktop icon:
wget -O ~/winbox_icon.png https://github.com/juanchixd/Mikrotik-linux/blob/main/icons/winbox-128x128.png?raw=true
Create a direct link on our desktop:
cat <<'EOF' > ~/Desktop/Winbox_Mikrotik.desktop
[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=Open Desktop
Name[en]=Winbox Mikrotik
Name[es]=Winbox Mikrotik
Name[es_ES]=Winbox Mikrotik
Exec=sh -c "wine /home/isard/winbox.exe"
Categories=;
Type=Application
Terminal=false
Icon=/home/isard/winbox_icon.png
EOF
Copy to autostart directory to run on boot:
We can save this client desktop creating a template with the name "client Winbox Vitalinux".