goals:

  • setup user
  • ssh public key authentication
  • secure ssh and change default port
  • set hostname
  • timezone and NTP
  • update system
  • TLS webinterface
  • disable unused services
  • setup secure wifi AP’s
  • seperate wifi for regular + iot
  • setup seperate NAT interfaces
  • configure firewall filter rules
  • IPSEC with ProtonVPN + packet tagging using connection-mark
  • IPV6 (not yet ready - will follow as soon as possible)
  • security options
  • some other configurations
  • backup and restore

The default gateway IP is 192.168.88.1

do not connect device to the WAN interface if there are any wifi components inside - wifi are on and not encrypted in default settings

ssh into gateway ip without any password

> ssh admin@192.168.88.1

add admin user and delete the default “admin” user

## add new admin user
/user add name=newusername password="verystrongpassword" group=full

## drop system default user
/user remove admin

import public ssh key

## copy ssh key per scp to device
> scp sshkey.pub newusername@192.168.88.1:

## import the ssh key
/user ssh-keys import user=newusername public-key-file=sshkey.pub

modify ssh security

## change ssh port
/ip service set ssh port=222

## set "strong" crypto
/ip ssh set strong-crypto=yes

## allow only 4096 bit keys
/ip ssh set host-key-size=4096

## regenerate ssh host keys
/ip ssh regenerate-host-key

changing host keys take a while and need a reboot after completion

set hostname

/system identity set name="myfunkyhostname"

disable wifi interfaces temporary if there are any

/interface wireless disable numbers=wlan1,wlan2

at this point we can connect the WAN interface

setup timezone and NTP

## set timezone "Europe/Berlin"
/system clock set time-zone-name=Europe/Berlin

## set NTP servers
/system ntp client set server-dns-names="0.openbsd.pool.ntp.org,1.openbsd.pool.ntp.org" enabled=yes

update system to the latest version

## download packages
/system package update check-for-updates

## install packages - system do a reboot after this
/system package update install

setup tls on webinterface (webfig)

## create root CA
/certificate add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign

## sign created CA certificate
/certificate sign LocalCA

## create new certificate for webfig (non-root certificate)
/certificate add name=Webfig common-name=192.168.88.1

## sign created certificate for webfig
/certificate sign Webfig ca=LocalCA

## enable www-ssl and specify the newly created certificate for webfig
/ip service set www-ssl certificate=Webfig disabled=no tls-version=only-1.2

disable unused services

## disable services
/ip service disable www,telnet,ftp,api,api-ssl,winbox

## show services
/ip service print detail

backup default wifi setup

## write wifi config to file
/interface wireless export verbose file=wireless_backup

## download wifi config file which ends with ".rsc"
> scp -P 2222 newusername@192.168.88.1:/wireless_backup.rsc ~/.

setup wifi security-profiles

## home profile wlan1 - 5GHz
/interface wireless security-profiles
  add name=wifilan authentication-types=wpa2-psk mode=dynamic-keys \
    wpa2-pre-shared-key=1234567890 disable-pmkid=yes

## iot profile wlan2 - 2.4GHz
/interface wireless security-profiles
  add name=iotnet authentication-types=wpa2-psk mode=dynamic-keys \
    wpa2-pre-shared-key=1234567890 disable-pmkid=yes

please do not just copy this config - change the pre-shared-key
if there any any connection drops set disable-pmkid=no
for details to PMKID attack see this paper from the HU-Berlin

prepare wifi config and enable interfaces

/interface wireless
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge secondary-channel=auto ssid=MikroTik-006360-5GHz \
    security-profile=wifilan country=germany station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled multicast-helper=disabled
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    security-profile=iotnet country=germany distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-006360-2.4GHz \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled \
    multicast-helper=disabled

this config is for the german country
for more details about 5Ghz configuration see this article

after a few days my thinpad didn’t find the 5GHz network - now i use 20/40/80mhz-Ceee and 5500MHz (ch100) without any problems

enable wifi interface

/interface wireless enable numbers=wlan1,wlan2

planing interface setup

   ┌─────────────────────────────────────────────────────────────────────────────┐
   │                                                                             │
   │   10.0.0.1/24 --- linklocal - Webservices exposed to the internet           │
   │   10.10.0.1/24 -- homenet --- Multimedia network for streaming and gaming   │
   │   172.16.0.1/24 - wifilan --- Smartphones, Notebooks (only 5GHz)            │
   │   172.18.0.1/24 - iotnet  --- Internet of shit (2.4GHz Wifi + Ethernet)     │
   │   172.20.0.1/24 - hacknet --- Network for science like HackTheBox           │
   │   172.24.0.1/24 - worklan --- Homeofice network                             │
   │   172.28.0.1/24 - majornet -- Administrative network for maintenance        │
   │                                                                             │
   └─────────────────────────────────────────────────────────────────────────────┘

setup gateway and network per interface

/ip address
add address=10.0.0.1/24 network=10.0.0.0 interface=ether2 comment=linklocal
add address=10.10.0.1/24 network=10.10.0.0 interface=ether3 comment=homenet
add address=172.16.0.1/24 network=172.16.0.0 interface=wlan1 comment=wifilan
add address=172.18.0.1/24 network=172.18.0.0 interface=wlan2 comment=iotnet
add address=172.20.0.1/24 network=172.20.0.0 interface=ether4 comment=hacknet
add address=172.24.0.1/24 network=172.24.0.0 interface=ether5 comment=worklan
add address=172.28.0.1/24 network=172.28.0.0 interface=ether6 comment=majornet

define ip pool

/ip pool
add name=dhcp_linklocal ranges=10.0.0.100-10.0.0.254 next-pool=none comment=linklocal
add name=dhcp_homenet ranges=10.10.0.100-10.10.0.254 next-pool=none comment=homenet
add name=dhcp_wifilan ranges=172.16.0.100-172.16.0.254 next-pool=none comment=wifilan
add name=dhcp_iotnet ranges=172.18.0.100-172.18.0.254 next-pool=none comment=iotnet
add name=dhcp_hacknet ranges=172.20.0.100-172.20.0.254 next-pool=none comment=hacknet
add name=dhcp_worklan ranges=172.24.0.100-172.24.0.254 next-pool=none comment=worklan
add name=dhcp_majornet ranges=172.28.0.100-172.28.0.254 next-pool=none comment=majornet

configure dhcp networks and dns server

/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24 dns-server=176.9.93.198,176.9.1.117,46.182.19.48,80.241.218.68 domain="linkloacal" comment=linklocal
add address=10.10.0.0/24 gateway=10.10.0.1 netmask=24 dns-server=176.9.93.198,176.9.1.117,46.182.19.48,80.241.218.68 domain="homenet" comment=homenet
add address=172.16.0.0/24 gateway=172.16.0.1 netmask=24 dns-server=176.9.93.198,176.9.1.117,46.182.19.48,80.241.218.68 domain="wifilan" comment=wifilan
add address=172.18.0.0/24 gateway=172.18.0.1 netmask=24 dns-server=176.9.93.198,176.9.1.117,46.182.19.48,80.241.218.68 domain="iotnet" comment=iotnet
add address=172.20.0.0/24 gateway=172.20.0.1 netmask=24 dns-server=176.9.93.198,176.9.1.117,46.182.19.48,80.241.218.68 domain="hacknet" comment=hacknet
add address=172.24.0.0/24 gateway=172.24.0.1 netmask=24 dns-server=176.9.93.198,176.9.1.117,46.182.19.48,80.241.218.68 domain="worklan" comment=worklan
add address=172.28.0.0/24 gateway=172.28.0.1 netmask=24 dns-server=176.9.93.198,176.9.1.117,46.182.19.48,80.241.218.68 domain="majornet" comment=majornet

DNS Server are from dnsforge.de and digitalcourage.de

setup dhcp configuration

/ip dhcp-server
add name=dhcp-linklocal interface=ether2 address-pool=dhcp_linklocal authoritative=yes bootp-support=static use-radius=no use-framed-as-classless=yes conflict-detection=yes insert-queue-before=first allow-dual-stack-queue=yes disabled=no
add name=dhcp-homenet interface=ether3 address-pool=dhcp_homenet authoritative=yes bootp-support=static use-radius=no use-framed-as-classless=yes conflict-detection=yes insert-queue-before=first allow-dual-stack-queue=yes disabled=no
add name=dhcp-wifilan interface=wlan1 address-pool=dhcp_wifilan authoritative=yes bootp-support=static use-radius=no use-framed-as-classless=yes conflict-detection=yes insert-queue-before=first allow-dual-stack-queue=yes disabled=no
add name=dhcp-iotnet interface=wlan2 address-pool=dhcp_iotnet authoritative=yes bootp-support=static use-radius=no use-framed-as-classless=yes conflict-detection=yes insert-queue-before=first allow-dual-stack-queue=yes disabled=no
add name=dhcp-hacknet interface=ether4 address-pool=dhcp_hacknet authoritative=yes bootp-support=static use-radius=no use-framed-as-classless=yes conflict-detection=yes insert-queue-before=first allow-dual-stack-queue=yes disabled=no
add name=dhcp-worklan interface=ether5 address-pool=dhcp_worklan authoritative=yes bootp-support=static use-radius=no use-framed-as-classless=yes conflict-detection=yes insert-queue-before=first allow-dual-stack-queue=yes disabled=no
add name=dhcp-majornet interface=ether6 address-pool=dhcp_majornet authoritative=yes bootp-support=static use-radius=no use-framed-as-classless=yes conflict-detection=yes insert-queue-before=first allow-dual-stack-queue=yes disabled=no

disable bridge on configured interfaces

/interface bridge port disable numbers=0,1,2,3,4,10,11

create a bridge if you like to bind interfaces as layer 2 switch

## create new  bridge
/interface bridge add name=homenet-bridge

## delete default interface from bridge
/interface bridge port remove numbers=9

## add interface to new bridge
/interface bridge port add bridge=homenet-bridge interface=ether7
/interface bridge port add bridge=homenet-bridge interface=ether8
/interface bridge port add bridge=homenet-bridge interface=ether9

change the needed ip-address and dhcp-server interfaces to new bridge

add static leases like this

/ip dhcp-server lease
add address=10.0.0.y mac-address=\
    XX:XX:XX:XX:XX:XX server=dhcp-linklocal

backup firewall rules

## export to file
/ip firewall filter export file=fw_rules

## download firewall config
> scp -P 2222 newusername@192.168.88.1:/fw_rules.rsc ~/.

flush all firewall rules

/ip firewall filter remove [/ip firewall filter find]

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN disabled=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

add action=accept chain=forward comment="allow hosts > NAS" dst-address=10.0.0.y src-address=10.10.0.y
add action=accept chain=forward comment="allow hosts > stream" dst-address=10.0.0.y dst-port=80,443 protocol=tcp src-address=10.10.0.y
add action=accept chain=forward dst-address=10.0.0.y dst-port=80,443 protocol=tcp src-address=10.10.0.y
add action=accept chain=forward comment="allow honor > kodi" dst-address=10.10.0.y dst-port=8080 protocol=tcp src-address=172.16.0.y
add action=accept chain=forward dst-address=10.10.0.y dst-port=8080 protocol=tcp src-address=172.16.0.y
add action=accept chain=forward comment="allow nexus > kodi" dst-address=10.10.0.y dst-port=8080 protocol=tcp src-address=172.16.0.y
add action=accept chain=forward dst-address=10.10.0.y dst-port=8080 protocol=tcp src-address=172.16.0.y
add action=accept chain=forward comment="allow iot > homeassistant" dst-address=10.0.0.y src-address=172.18.0.100-172.18.0.254

add chain=forward action=drop src-address=10.0.0.0/24 dst-address=10.10.0.0/24 log=no log-prefix="" comment="drop linklocal > homenet"
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=172.16.0.0/24 log=no log-prefix="" comment="drop linklocal > wifilan"
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=172.18.0.0/24 log=no log-prefix="" comment="drop linklocal > iotnet"
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=172.20.0.0/24 log=no log-prefix="" comment="drop linklocal > hacknet"
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=172.24.0.0/24 log=no log-prefix="" comment="drop linklocal > worklan"
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=172.28.0.0/24 log=no log-prefix="" comment="drop linklocal > majornet"

add chain=forward action=drop src-address=10.10.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" comment="drop homenet > linklocal"
add chain=forward action=drop src-address=10.10.0.0/24 dst-address=172.16.0.0/24 log=no log-prefix="" comment="drop homenet > wifilan"
add chain=forward action=drop src-address=10.10.0.0/24 dst-address=172.18.0.0/24 log=no log-prefix="" comment="drop homenet > iotnet"
add chain=forward action=drop src-address=10.10.0.0/24 dst-address=172.20.0.0/24 log=no log-prefix="" comment="drop homenet > hacknet"
add chain=forward action=drop src-address=10.10.0.0/24 dst-address=172.24.0.0/24 log=no log-prefix="" comment="drop homenet > worklan"
add chain=forward action=drop src-address=10.10.0.0/24 dst-address=172.28.0.0/24 log=no log-prefix="" comment="drop homenet > majornet"

add chain=forward action=drop src-address=172.16.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" comment="drop wifilan > linklocal"
add chain=forward action=drop src-address=172.16.0.0/24 dst-address=10.10.0.0/24 log=no log-prefix="" comment="drop wifilan > homenet"
add chain=forward action=drop src-address=172.16.0.0/24 dst-address=172.18.0.0/24 log=no log-prefix="" comment="drop wifilan > iotnet"
add chain=forward action=drop src-address=172.16.0.0/24 dst-address=172.20.0.0/24 log=no log-prefix="" comment="drop wifilan > hacknet"
add chain=forward action=drop src-address=172.16.0.0/24 dst-address=172.24.0.0/24 log=no log-prefix="" comment="drop wifilan > worklan"
add chain=forward action=drop src-address=172.16.0.0/24 dst-address=172.28.0.0/24 log=no log-prefix="" comment="drop wifilan > majornet"

add chain=forward action=drop src-address=172.18.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" comment="drop iotnet > linklocal"
add chain=forward action=drop src-address=172.18.0.0/24 dst-address=10.10.0.0/24 log=no log-prefix="" comment="drop iotnet > homenet"
add chain=forward action=drop src-address=172.18.0.0/24 dst-address=172.16.0.0/24 log=no log-prefix="" comment="drop iotnet > wifilan"
add chain=forward action=drop src-address=172.18.0.0/24 dst-address=172.20.0.0/24 log=no log-prefix="" comment="drop iotnet > hacknet"
add chain=forward action=drop src-address=172.18.0.0/24 dst-address=172.24.0.0/24 log=no log-prefix="" comment="drop iotnet > worklan"
add chain=forward action=drop src-address=172.18.0.0/24 dst-address=172.28.0.0/24 log=no log-prefix="" comment="drop iotnet > majornet"

add chain=forward action=drop src-address=172.20.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" comment="drop hacknet > linklocal"
add chain=forward action=drop src-address=172.20.0.0/24 dst-address=10.10.0.0/24 log=no log-prefix="" comment="drop hacknet > homenet"
add chain=forward action=drop src-address=172.20.0.0/24 dst-address=172.16.0.0/24 log=no log-prefix="" comment="drop hacknet > wifilan"
add chain=forward action=drop src-address=172.20.0.0/24 dst-address=172.18.0.0/24 log=no log-prefix="" comment="drop hacknet > iotnet"
add chain=forward action=drop src-address=172.20.0.0/24 dst-address=172.24.0.0/24 log=no log-prefix="" comment="drop hacknet > worklan"
add chain=forward action=drop src-address=172.20.0.0/24 dst-address=172.28.0.0/24 log=no log-prefix="" comment="drop hacknet > majornet"

add chain=forward action=drop src-address=172.24.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" comment="drop worklan > linklocal"
add chain=forward action=drop src-address=172.24.0.0/24 dst-address=10.10.0.0/24 log=no log-prefix="" comment="drop worklan > homenet"
add chain=forward action=drop src-address=172.24.0.0/24 dst-address=172.16.0.0/24 log=no log-prefix="" comment="drop worklan > wifilan"
add chain=forward action=drop src-address=172.24.0.0/24 dst-address=172.18.0.0/24 log=no log-prefix="" comment="drop worklan > iotnet"
add chain=forward action=drop src-address=172.24.0.0/24 dst-address=172.20.0.0/24 log=no log-prefix="" comment="drop worklan > hacknet"
add chain=forward action=drop src-address=172.24.0.0/24 dst-address=172.28.0.0/24 log=no log-prefix="" comment="drop worklan > majornet"

add chain=forward action=drop src-address=172.28.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" comment="drop majornet > linklocal"
add chain=forward action=drop src-address=172.28.0.0/24 dst-address=10.10.0.0/24 log=no log-prefix="" comment="drop majornet > homenet"
add chain=forward action=drop src-address=172.28.0.0/24 dst-address=172.16.0.0/24 log=no log-prefix="" comment="drop majornet > wifilan"
add chain=forward action=drop src-address=172.28.0.0/24 dst-address=172.18.0.0/24 log=no log-prefix="" comment="drop majornet > iotnet"
add chain=forward action=drop src-address=172.28.0.0/24 dst-address=172.20.0.0/24 log=no log-prefix="" comment="drop majornet > hacknet"
add chain=forward action=drop src-address=172.28.0.0/24 dst-address=172.24.0.0/24 log=no log-prefix="" comment="drop majornet > worklan"

add chain=forward action=drop src-address=172.18.0.0/24 out-interface=ether1 log=no log-prefix="" comment="drop iot > internet"

please do not just copy this config, study>use>improve>repeat
for an advanced firewall configuration see: help.mikrotik.com

import *.ovpn certificate from ProtonVPN

## copy certificate to routerboard
> scp -P 2222 us-gb-01.protonvpn.com.tcp.ovpn mynewusername@v.w.x.y:

## import certificate
/certificate import file-name=us-gb-01.protonvpn.com.tcp.ovpn

use passphrase from your proton account

IPSEC configuration with ProtonVPN

/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
add connection-mark=ProtonVPN name=ProtonVPN responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
add name=ProtonVPN
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1d name=ProtonVPN \
    nat-traversal=yes proposal-check=obey
/ip ipsec peer
add address=37.58.58.y/32 disabled=no exchange-mode=ike2 name=ProtonVPN \
    profile=ProtonVPN send-initial-contact=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
add auth-algorithms=sha256 disabled=no enc-algorithms=aes-256-cbc lifetime=\
    30m name=ProtonVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" disabled=no eap-methods=eap-mschapv2 \
    generate-policy=port-strict mode-config=ProtonVPN password=\
    yourpassword peer=ProtonVPN policy-template-group=\
    ProtonVPN username=<username>
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
add disabled=no dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN \
    protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no

ensure date and time is setup correctly for more details see this thread on MK-Forum

ip tagging for VPN routing using connection-mark

## tunnel whole network
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=ProtonVPN passthrough=yes \
      src-address=10.10.0.0/24 log=no log-prefix="" comment="tunnel network"

## tunnel single host
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=ProtonVPN passthrough=yes \
      src-address=10.10.0.y/32 log=no log-prefix="" comment="tunnel client"

be sure that you have set DNS for VPN tagged connection set to 10.8.8.1
this prevent dns leak and can be tested on dnsleaktest.com

security options

## allow ssh and webfig login only from specific LAN
/ip service set www-ssl,ssh address=192.168.88.0/24,10.0.0.7/32

## disable mac-telnet services
/tool mac-server set allowed-interface-list=none

## disable mac-winbox services
/tool mac-server mac-winbox set allowed-interface-list=none

## disable mac-ping service
/tool mac-server ping set enabled=no

## disable mikrotiks neighbor discovery
/ip neighbor discovery-settings set discover-interface-list=none

## disable bandwidth server
/tool bandwidth-server set enabled=no

## disable firewall service ports
/ip firewall service-port disable dccp,ftp,h323,irc,pptp,sctp,sip,tftp,udplite

attention: the ip address for allowed login must pass your config - this is just an example

other configurations

## disable DNS caching
/ip dns set allow-remote-requests=no

## disable proxy
/ip proxy set enabled=no

## disable socks proxy
/ip socks set enabled=no

## disable UPNP service
/ip upnp set enabled=no

## disable dynamic name service
/ip cloud set ddns-enabled=no update-time=no

backup and restore

## backup your configuration
/system backup save name="xx-yyyy-zz-01" password="verystrongpassword"

## download backup
scp -P 2222 newusername@w.x.y.z:/xx-yyyy-zz-01.rsc ~/.

## restore settings
/system backup load name=xx-yyyy-zz-01.backup password="verystrongpassword"

to load the default configuration you have to power down the device, hold reset, power up and wait until the sfp-port blinks