MIKROTIK ROUTEROS CHEATSHEET
Here is a list of useful and handy RouterOS commands. For sanity sake, since RouterOS has a terminal, I will reference that rather than try to deal with pictures and vague (unitentionally) references. For those that refuse to use the terminal, the command is generally straightforward regarding what field needs what information. If there is something you wish to have added, contact me and I will add it, if possible. Some things I just do not have the capability to easily try out or can even implement.
The following rules are copied from working configs, but sanitized. The field is denoted where CIDR notation is required.
FIREWALL RELATED RULES
LIST ALL RULES ACTIVE
/ip firewall export
DROP A SUBNET
/ip firewall filter add action=drop chain=forward comment="Subnet Drop" log=yes log-prefix="[Subnet Drop]" src-address=SUNBNET-CIDR
DROP A PORT
/ip firewall nat add chain=forward action=drop protocol=tcp dst-port=PORT
DROP ALL BUT A PORT
/ip firewall nat add chain=forward action=drop protocol=tcp dst-port=!PORT
FORWARD PORT
/ip firewall nat add action=dst-nat chain=dstnat comment="Cockpit" dst-address=WAN-IP dst-port=9090 protocol=tcp to-addresses=LAN-IP to-ports=9090
HAIRPIN NAT
/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=SERVER out-interface=bridge protocol=tcp src-address=SUBNET-CIDR
/ip firewall nat add chain=srcnat out-interface=bridge action=masquerade
BLOCKING WEBSITES
First we create a L7 rule, then a filter rule to match on the L7 rule. Inside the L7 regex rule separate each site with a bar -- this rule is for blocking facebook.com and myspace.com
/ip firewall layer7-protocol add name="Block Badsites" regexp="^.+(facebook.com|myspace.com).*\$"
/ip firewall filter add action=drop chain=forward comment="Block Badsites" layer7-protocol="Block Badsites"
FORCE A DNS SERVER
Here we create a list which will be used for exlusionary purposes (testing or whatever):
/ip firewall address-list add address=1.1.1.0/24 list=opendns-exclude
/ip firewall address-list add address=2.2.2.2/32 list=opendns-exclude
Next we filter out based on that rule (basically any IP not in the list):
/ip firewall nat chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=53 protocol=tcp src-address-list=!opendns-exclude dst-port=53 log=no comment="Force OpenDNS TCP"
/ip firewall nat chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=53 protocol=udp src-address-list=!opendns-exclude dst-port=53 log=no comment="Force OpenDNS UDP"
SYSTEM RELATED TASKS
CLONE CONFIG
-
Export Config
/export file=name-of-backup
-
Import Config
/import file=name-of-backup
WINBOX SUPPORT
/ip service enable winbox
/ip service disable winbox
FTP SUPPORT
/ip service disable ftp
TLS
HTTPS -- SELF SIGNED
-
Create and sign a CA certificate
/certificate add name=mikrotik-ca common-name=mikrotik-ca key-usage=key-cert-sign,crl-sign /certificate sign mikrotik-ca
-
Create and sign your https certificate
/certificate add name=mikrotik-device common-name=mikrotik-device key-usage=tls-server /certificate sign ca=mikrotik-ca mikrotik-device
-
Trust your certificates
/certificate set trusted=yes mikrotik-ca /certificate set trusted=yes mikrotik-device
-
Enable this certificate for your https service
/ip service set www-ssl certificate=my-rtr
-
Disable non-secured connections
/ip service set www disabled=yes
HTTPS -- AUTO-GENERATED
coming soon
- https://github.com/gitpel/letsencrypt-routeros
- http://me.sdnix.com/mikrotik-lets-encrypt-wildcard-ssl-certificate/
- https://community.letsencrypt.org/t/lets-encrypt-routeros-mikrotik/47223