Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Meow
8009 posts

Uber Geek
+1 received by user: 4004

Moderator
Trusted
Lifetime subscriber

Topic # 161676 15-Jan-2015 21:31
9 people support this post
Send private message

As a few people have requested here is a how-to for setting up a Mikrotik RB951G-2HnD for use with UFB (in my case, Spark UFB) and a DNS unblocking service. The Mikrotik RB951G-2HnD is simply put, a very good router with tonnes of features and best of all is available for sub $150.

First of all I am going to assume you know how to set up your computer with a static IP (192.168.88.5) and have Winbox already (available by browsing to your router) and have connected to your router by entering it's IP (192.168.88.1) and logging in. If you're using OSX or Linux then either use WINE to run the Winbox application or try and follow along with the web interface.

First - a little bit of housekeeping:

When you pull your router out of its box and plug it in it will not have the latest firmware - lets upgrade this at the very start to avoid any problems. Head over to http://mikrotik.com/downloads and download the latest mipsbe package.

Click to see full size

Next, in Winbox go to Files and drag / drop the file into the file manager, you can simply reboot your Mikrotik now by going to System > Reboot. Once it is all loaded up again (indicated by 2 beeps) login and go to System > Routerboard and press Upgrade to upgrade the Mikrotik's bootloader, do another reboot and you're set for the next step.

Next - getting to the basics:

I am not going to fully reset my Mikrotik whilst my partner is watching "Short of talant" street via the Chromecast as I've found out she gets rather angry when I do that, instead the below screenshots serve more as examples to what you're trying to achieve.

When you first login to Winbox for the first time you'll get greeted by the Quick Start screen- it looks like this. To make things simple we'll use this to set up the initial configuration, fill it in as shown:

Click to see full size

Green Area: Set up your Wireless Network specifics.
Red Area: Set your providers PPPoE settings here.
Orange Area: You don't need to worry about this too much unless if you really wanted to set your network away from the 192.168.88.1 range, lets just leave it for now for ease of setup but tick NAT and DHCP because you might want this.

Below this is somewhere you can change your default password - do this, do this now otherwise your router will get owned.

Once you've hit Apply the rest is pretty straight forward to do.

VLAN Tagging:

I've noticed that due to a bug in Winbox this pretty-much breaks the Quick Setup screen, so make sure you've completed the basic configuration of your router first. Go across to Interfaces on the left and you'll be greeted with a screen that looks like this:



If you go to VLAN you'll be presented with an empty screen, hit the + button and copy what you see in the image below:

Click to see full size

Once you hit OK you should actually have internet once you set up your computer with DHCP, but lets not stop there... Gotta secure this thing.

Security - Firewall:

I really hope you changed the default password!

Right, you've got internet but by default all your ports will be open - a very suboptimal situation!

Fix this by going to IP > Firewall, the default rules are sufficient for your basic setup but you might want to assign some interfaces to them! Nevermind, by double-clicking on the rules you're greeted by a page that allows you to set the IN and OUT interfaces for that rule to work off - just follow what I have set up here:

Click to see full size

Now if your rules match my image lets test this! Go across to GRC SheildsUP here: https://www.grc.com/shieldsup and run a port scan on your IP, you should get all green across the board.

Free Dynamic DNS baked right in:

All you need to do to enable this is click on IP > Cloud from the left menu. Click on Enabled and Update Time. Your DNS name is what you're able to use as Dynamic DNS for providers like dns4me or UnoTelly to keep your IP always updated with them.

Time Zone and Clock:

Assuming you hit Update Time above you might want to set your time zone, to do so go to System > Clock and change the Time Zone to your zone of choice.

DNS:

Yeah, you want to use your content unblockers services right? Easy, first of all you'll need to go to Interfaces from the left panel and double-click on PPPoE-Out to edit the rule - the rule we need to change here is under Dial Out and is called "Use Peer DNS" - unticking this box ensures your Mikrotik won't use your ISP's automatically assigned DNS servers.

Once you've done this go to IP > DNS and press the up arrow (^) on any DNS servers there, then fill in the top 2 DNS servers from your provider of choice and hit Apply:

Click to see full size

I've found setting your cache to 1mb is not too bad but some people like to set this as greater to speed up DNS responses - up-to 10mb is fine for your home network.

Now, go to Cache and Flush Cache to clear anything off that isn't supposed to be there.

Other things:

If you own a Chromecast or anything that gets angry due to Google DNS not unblocking Netflix this simple thing could save you a little of time - in the Firewall screen go across to NAT and add 2 new rules (since Android has been logged to use TCP):
Chain: DSTNAT
Protocol: UDP
DST PORT: 53

 

Chain: DSTNAT
Protocol: TCP
DST PORT: 53

Then click on Action and drop down Action to Redirect. This will ensure no matter what DNS devices on your network use your router will capture and forward these requests to the unblocking service of your choice.

---

If you own an Xbox or PS4 or do online gaming and / or torrent downloading you might want to enable UPnP so your devices can automatically forward ports but bare in mind this can pose as a risk since your devices can now port-forward on demand.

To enable this go into IP > UPnP and click on Enabled and de-select "Show Dummy Rule" and "Allow to Disable external interface" - go into Interfaces and set your Bridge interface as internal, and your PPPoE interface as External as shown:

Click to see full size

Common Problems:

With some Apple devices you might run into some difficulties with connecting to WiFi - it is a simple fix here involved by going into Wireless (from the left), double-clicking on wlan1, hit Advanced Mode on the right of the box that pops up, go to the Advanced tab and change Preamble Mode to either Long or Both.

Other Information:

There is a heap of information on http://wiki.mikrotik.com - look up, use Google and if you can't find what you're looking for then post on Geekzone for help and I am sure somebody can help you out.

If people are interested I can post other things here (like setting up traffic queues), but if you've just bought a Mikrotik give this guide a go and let me know how you get on. By following this guide you're going to get your Mikrotik working as your main router with full service unblocking support.





Create new topic
1497 posts

Uber Geek
+1 received by user: 474

Trusted

  Reply # 1215685 15-Jan-2015 21:38
One person supports this post
Send private message

so after doing all this ill get 1gbit over wifi right!?!?!?




Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 1977103 15-Mar-2018 12:42
Send private message

nice post @michaelmurfy

 

I just wiped my RB915G-2HnD in order to connect it to a brand new 2degrees ufb connection.  After following the steps above, it wasn't quite working.  Rang 2deg to make sure all was activated - it was.

 

I also found your other post A general Mikrotik setup guide  -  and saw that there was a missing step above "Next, double-click on pppoe-out1 in the interfaces list and assign it to your VLAN:"

 

Once i config'd pppoe-out1, it all magically* started working.

 

 

 

 

 

* not magic at all really, just config :-)





Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 1985460 29-Mar-2018 15:22
Send private message

URGENT - if you're running one of these, update ASAP

 

 

 

https://www.cert.govt.nz/it-specialists/advisories/advisory/mikrotik-routeros-vulnerability/

 

 

 

and follow CERTNZ on twitter for other critical alerts: https://twitter.com/CERTNZ/status/979175013776474112

 

 





Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


5148 posts

Uber Geek
+1 received by user: 1672


  Reply # 1985462 29-Mar-2018 15:26
Send private message

Regs:

 

URGENT - if you're running one of these, update ASAP

 

 

 

https://www.cert.govt.nz/it-specialists/advisories/advisory/mikrotik-routeros-vulnerability/

 

 

 

and follow CERTNZ on twitter for other critical alerts: https://twitter.com/CERTNZ/status/979175013776474112

 

 

 

 

This is very old. It was patched in March 2017.

 

EDIT: It also required that you had no firewall running.

 

Previous thread here


1409 posts

Uber Geek
+1 received by user: 262

Subscriber

  Reply # 2024298 28-May-2018 21:29
Send private message

Apologies for digging this back up but I found that the easiest way was to go through the wizard that first loads (configuring via web browser. The wizard also allows one to changing the password), then creating a VLAN interface then rejoining the PPPoE interface created by the wizard to the VLAN created. I'm unsure about the firewall rules when the article was first written but the standard rules that come part of 6.42.3 pass all the port scan tests.





Laptop: MacBook Pro (15-inch, 2017)
Desktop: iMac (27-inch, 2017)
Smartphone: iPhone Xs Max 256GB 'Space Grey'
Additional devices: Unifi Security Gateway, Unifi Switch, Unifi AP AC HD, Unifi Cloud Key, Apple TV 4K 64GB
Services: iCloud, YouTube Premium, Wordpress, Skinny

 


3614 posts

Uber Geek
+1 received by user: 1338

Subscriber

  Reply # 2024305 28-May-2018 21:43
Send private message

Default rules are just fine... the main thing being a 'drop All' at the end.
The downfall is when people don't update the inbound interface on that drop rule.

802 posts

Ultimate Geek
+1 received by user: 164


  Reply # 2024328 28-May-2018 22:10
Send private message

thanks for sharing the missing step @Regs, I have a Mikrotik RB951G-2HnD and followed without success Michael's guide. So stayed with my TP-Link 1043ND with LEDE (OpenWrt), I might pull that Mikrotik out again. :-)

 

 

 

 


33 posts

Geek
+1 received by user: 2


  Reply # 2024412 29-May-2018 08:30
Send private message
27126 posts

Uber Geek
+1 received by user: 6567

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2024430 29-May-2018 09:13
Send private message

tkgit:

 

great to see mikrotik users here,

 

anyone aware about this?

 

https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

 

 

There have been are a number of discussions on here in the past couple of months, and from memory at least a couple last year when it was fixed (it's been fixed since March 2017). I've also blogged about a few of the Mikrotik security issues.

 

In a nutshell if you have any router exposed to the internet with open ports for access with no whitelisting you're an absolute idiot and deserve to be hacked..

 

 


5148 posts

Uber Geek
+1 received by user: 1672


  Reply # 2024901 29-May-2018 15:17
Send private message

tkgit:

 

great to see mikrotik users here,

 

anyone aware about this?

 

https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

 

 

Four posts above yours is the post detailing the fix - in March 2017.


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.