Common Questions: masquerade vs src-nat action Mikrotik

One of the common questions I get is what is the difference between Masquerade and SRC-NAt? Which should I use?
The quick answer is to use SRC-NAT if your gateway IP is static, and use masquerade if it can change.

The Mikrotik Wiki Entry
Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short – when public IP is dynamic.

Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info

Newish Mikrotik Feature: Protected Bootloader

https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Protected_bootloader

This is a new feature which allows the protection of RouterOS configuration and files from a physical attacker by disabling etherboot. It is called “Protected RouterBOOT”. This feature can be enabled and disabled only from within RouterOS after login, i.e., there is no RouterBOOT setting to enable/disable this feature. These extra options appear only under certain conditions. When this setting is enabled – both the reset button and the reset pin-hole is disabled. Console access is also disabled. The only ability to change boot mode or RouterBOOT settings is through RouterOS. If you do not know the RouterOS password – only a complete format is possible.

 

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info

Mikrotik Advanced Tools

Recently I had a customer call and was missing some tools like “Ip Scan” and others under tools.  They had forgotten to add in the “advanced tools” package.  Sometimes this is not default.  You have to manually add it in.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info

Mikrotik Destination Nat

Scenario
You have a customer with a Mikrotik router that needs a port forwarded to an internal IP address. In our case, a customer has a camera that communicates on port 80 with a static IP add of 192.168.21.49 on their internal LAN.

Solution
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.21.49 to-ports=80

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info

LetsEncrypt and Mikrotik

Recently there has been some activity on integration with LetsEncrypt and Mikrotik.   WHile Mikrotik does not directly support Letsencrypt directly yet, you can make it work with this setup

https://github.com/gitpel/letsencrypt-routeros

 

 

From the GitHub Page:

How it works:

  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage

While not perfect is a start.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info

Mikrotik changes their firmware version numbering

While troubleshooting an issue this morning I went to upgrade the routerboard firmware on a CCR after bringing it up to 6.42.  The upgrade-firmware now appears to match with the router-os version.

/system routerboard print
routerboard: yes
model: CCR1016-12S-1S+
firmware-type: tilegx
factory-firmware: 3.22
current-firmware: 3.41
upgrade-firmware: 6.42

Now, if Mikrotik would just provide release notes on the routerboard firmware in a handy place.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info

IPV6 Firewall rules for Mikrotik

Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=”” with your appropriate interface.

/ipv6 firewall filter
add chain=input protocol=icmpv6
add chain=input connection-state=established,related
add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-wan
add chain=forward protocol=icmpv6
add chain=forward connection-state=established,related
add chain=forward connection-state=new in-interface=!ether1-wan
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=ether1-wan

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info

Mikrotik and two unique subnets across an Ipsec Tunnel

Recently we had an issue with an IPsec tunnel on Mikrotik passing multiple subnets across a tunnel with multiple policies. The problem is Packet forwarding and encryption only works for one destination (the first matched IPSec Policy) and the other subnet, which has the second policy did not work.  In our case, we had two subnets 192.168.115.0/24 and 192.168.116.0/24 going across the tunnel.  We could reach things on 116, but not 115.  The following blog post was the fix for our issue.

Mikrotik IPSec VPNs with multiple destination Networks/Policies and SA(s) management.

Once the level was set to “unique” everything was good.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info