MIKROTIK ROUTEROS CHEATSHEET

Here is a list of useful and handy RouterOS commands. For sanity sake, since RouterOS has a terminal, I will reference that rather than try to deal with pictures and vague (unitentionally) references. For those that refuse to use the terminal, the command is generally straightforward regarding what field needs what information. If there is something you wish to have added, contact me and I will add it, if possible. Some things I just do not have the capability to easily try out or can even implement.

The following rules are copied from working configs, but sanitized. The field is denoted where CIDR notation is required.

FIREWALL RELATED RULES

LIST ALL RULES ACTIVE

    /ip firewall export

DROP A SUBNET

    /ip firewall filter add action=drop chain=forward comment="Subnet Drop" log=yes log-prefix="[Subnet Drop]" src-address=SUNBNET-CIDR

DROP A PORT

    /ip firewall nat add chain=forward action=drop protocol=tcp dst-port=PORT

DROP ALL BUT A PORT

    /ip firewall nat add chain=forward action=drop protocol=tcp dst-port=!PORT

FORWARD PORT

    /ip firewall nat add action=dst-nat chain=dstnat comment="Cockpit" dst-address=WAN-IP dst-port=9090 protocol=tcp to-addresses=LAN-IP to-ports=9090

HAIRPIN NAT

    /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=SERVER out-interface=bridge protocol=tcp src-address=SUBNET-CIDR
    /ip firewall nat add chain=srcnat out-interface=bridge action=masquerade

BLOCKING WEBSITES

First we create a L7 rule, then a filter rule to match on the L7 rule. Inside the L7 regex rule separate each site with a bar -- this rule is for blocking facebook.com and myspace.com

    /ip firewall layer7-protocol add name="Block Badsites" regexp="^.+(facebook.com|myspace.com).*\$"
    /ip firewall filter add action=drop chain=forward comment="Block Badsites" layer7-protocol="Block Badsites"

FORCE A DNS SERVER

Here we create a list which will be used for exlusionary purposes (testing or whatever):

    /ip firewall address-list add address=1.1.1.0/24 list=opendns-exclude
    /ip firewall address-list add address=2.2.2.2/32 list=opendns-exclude

Next we filter out based on that rule (basically any IP not in the list):

    /ip firewall nat chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=53 protocol=tcp src-address-list=!opendns-exclude dst-port=53 log=no comment="Force OpenDNS TCP"
    /ip firewall nat chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=53 protocol=udp src-address-list=!opendns-exclude dst-port=53 log=no comment="Force OpenDNS UDP"

SYSTEM RELATED TASKS

CLONE CONFIG

• Export Config

  /export file=name-of-backup
  

• Import Config

  /import file=name-of-backup
  

WINBOX SUPPORT

    /ip service enable winbox
    /ip service disable winbox

FTP SUPPORT

    /ip service disable ftp

TLS

HTTPS -- SELF SIGNED

1. Create and sign a CA certificate

   /certificate add name=mikrotik-ca common-name=mikrotik-ca key-usage=key-cert-sign,crl-sign
   /certificate sign mikrotik-ca
   

2. Create and sign your https certificate

   /certificate add name=mikrotik-device common-name=mikrotik-device key-usage=tls-server
   /certificate sign ca=mikrotik-ca mikrotik-device
   

3. Trust your certificates

   /certificate set trusted=yes mikrotik-ca
   /certificate set trusted=yes mikrotik-device
   

4. Enable this certificate for your https service

   /ip service set www-ssl certificate=my-rtr
   

5. Disable non-secured connections

   /ip service set www disabled=yes
   

HTTPS -- AUTO-GENERATED

coming soon

• https://github.com/gitpel/letsencrypt-routeros
• http://me.sdnix.com/mikrotik-lets-encrypt-wildcard-ssl-certificate/
• https://community.letsencrypt.org/t/lets-encrypt-routeros-mikrotik/47223

REFERENCES

• https://support.ispsupplies.com/hc/en-us/articles/115009659047-Cloning-MikroTik-Routers-Quick-and-Easy
• https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/
• https://www.medo64.com/2016/11/enabling-https-on-mikrotik/