I bought a Mikrotik RB4011 router to replace the router for my TimeDotCom Fiber Internet service. Mostly for fun education. ☺



Actually there were some issues bugging me with the TIME supplied DIR-882 router. It's a speedy router, but I couldn't get NAT loopback to work, the DNS lookups with Google DNS seems sluggish, and I wanted to monitor my traffic using SNMP. Although the firmware is customized for TIME, TIME's support referred me to D-Link for questions regarding the router.

But the main reason was that I needed a WiFi Access Point elsewhere, so it was better to repurpose the DIR-882 as an AP and get a replacement router. In the past I used to flash my routers with OpenWRT and this would have most of the features I needed. But finding a good router that openWRT is compatible with, and works reliably and optimally, is not easy. So I decided to look for a router with a stock firmware that had lots of features and processing capacity that I could grow to use.

TIME's internet service is easier to configure than UniFi or Maxis, as there are no VLAN setting required. However, it was my first time using RouterBoardOS, so most of the effort was in googling how to do things. Overall I am quite impressed with the feature set. The RB4011 is probably overkill for this, but I didn't want to be disappointed if a smaller model turned out slower than the router TIME supplied. Also there are a lot of things I will be able to explore and experiment with it. I might also get the smaller MikroTik hAP AC2 to play with in the future ... so I can play with the WiFi features as well (The RB4011 variant I got doesn't have WiFi as I don't need WiFi at that location).

Basic Setup and Configuration

In its factory state, or when factory reset (to reset the router to factory configuration, hold the reset button during boot TIME until the LED starts flashing, then release it), The RB4011 starts of with the following settings:
RouterMode:

  • WAN port is protected by firewall and enabled DHCP client
  • Ethernet interfaces (except WAN port ether1) are part of LAN bridge
  • LAN Configuration:
    • IP address 192.168.88.1/24 is set on bridge (LAN port)
    • DHCP Server: enabled;
  • WAN (gateway) Configuration:
    • gateway: ether1 ;
    • ip4 firewall: enabled;
    • NAT: enabled;
    • DHCP Client: enabled;
    • DNS: enabled;

I connected power to the RB4011, and connected port 1 to the WAN port on the TIME BTU, and port 2 to my LAN Switch. I switched off the existing DIR-882. Because the RB4011's default LAN IP is on a different subnet from mine, I temporarily added a virtual network interface for that subnet on my desktop PC:



Now I can ping the RB4011 and browse to the web interface via http://192.168.8.1/.

The RB4011 can be configured from a command line utility (via telnet), a web-based user interface, or a Windows-based client program called WinBox. Most of the tutorials online are based around WinBox, and while it is possible to run WinBox on Linux via Wine, I would like to see how much I can do without that. The Web Interface seems to perform all the same functions as WinBox, however requires that you have network access to the device.

The RB4011 also has a RJ45 port acting as a serial console, so I think if I were to lose IP access, I would be able to use this port to regain access. However, I don't have the RJ45 RS232 pin assignments, which i need to hunt down and make a cable (TODO) for. The RS232 settings are 115200, 8N1.

The Winbox/WebFig offer a vast amount of settings, however for first-timers, there are usually standard presets available under what is known as a "Quickset". The RB4011, which has no WiFi or USB ports , only has two QuickSet choices: it can operate as a router or as a bridge. Therefore the QuickSet screen from the RB4011 is quite basic.

Here are the settings I made:

  • Mode: Router
  • Internet
    • Port : eth1
    • Address Acquisition : PPPoE
    • PPPoE User: the "Network ID" from my TIME Welcome email
    • PPPoE Password: the "Network Password" from my TIME Welcome email
    • PPPoE Service Name : left unfilled
  • Local Network
    • IP Address : 192.168.1.1
    • Netmask: 255.255.255.0 (/24)
    • DHCP Server: Tick
    • DHCP Server Range: 192.168.1.100-192.168.1.254
    • NAT: Tick
  • VPN:
    • VPN Access : untick
  • System:
    • Router Identity : MikroTikRouter
  • Password:
    • Set a new router password.

Here's what the Quick Set settings page looked like:




I pressed Apply Configuration. I then had to disconnect and reconnect my laptop's ethernet, as the LAN IP had changed. Once I did that I browsed to http://192.168.1.1, and I was able to get into my router again, which now demands a login password. Meanwhile, the PPPoE had established connection to the internet and I was now back online via the RB4011. Err ... that's it! Basic Router configuration is done!

I was happy to find that the performance was about the same as the DIR-882:



Upgrade Firmware

It is recommended to check for updated firmware as soon as the router can reach the Internet. Under the "Quick Set" menu, at the very bottom, is a button to "Check For Updates". Clicking this showed a "New version is available":



I clicked Download and install, and after a few seconds it said the router was rebooting. I waited a bit, and refreshed the browser and logged in. Now my firmware was up to date:



Change LAN IP from "ether2" to "Bridge"

I intend to use a few of the ether ports on the RB4011 as switch ports for my LAN, therefore the LAN IP address, which is assigned to ether2 by QuickSet, needs to be changed to "Bridge".

  • Click on "IP" → "Addresses"
    • Change "Interface" from "ether2" to "bridge"
    • Press "Apply"






Remote Network Port Scan

From an external host, run nmap on the external ipv4 address:

  • sudo nmap -4 -p- 202.184.32.150



Hmm ... port 50805 seems to be some remote management feature. I'm not sure how to disable it, if anyone knows, do share.

IPV4 DHCP Address Assignments

To set up DHCP leases with Fixed IPV4 addresses:

  • Click on "IP" → "DHCP Server" → "Leases"
    • Click on "Add New"
      • Enter the IP address to be assigned
      • Enter the device's MAC address (it can be found on the previous screen if it is online)
      • Press OK
    • If device current has a lease under a different IP:
      • Select it and click "Remove"
    • Otherwise, connect and switch on the device.

IPV6

The RouterBoard OS bundles its features into packages. By default only the basic packages are installed and enabled. IPV6 is provided by the "ipv6" package. On my router, looking under "System" → "Packages", this was installed but disabled.



Enabling the IPV6 package was just a matter of clicking that package line, followed by pressing the "Enable" button. Once I did that an entry on the screen said "Scheduled for enable". I rebooted the router by selecting "System" → "Reboot". After rebooting, the ipv6 package was now enabled:



And there is now a "IPV6" menu entry. To get and IPV6 address and prefix from TIME, we need to:

  • Click on "IPV6" → "DHCP Client"
  • Click "Add New"
    • Set interface to "pppoe-out1"
    • Under Request, tick "prefix" as well as "address"
    • Set "Pool Name" to "ISP"
    • untick "Use Peer DNS"
  • Click Apply



And with that the router immediately acquired an IPV6 address and prefix from the ISP. The IPV6 prefix acquired is automatically placed into a pool where it can be shared out by the router (verify under "IPV6" → "Pool"):



Next we need to assign one of the IP addresses from the pool to our LAN interface:

  • "IPV6" → "Addresses"
    • Click "Add New"
      • Address : "::/64"
      • From Pool: "ISP"
      • Interface: "bridge"
      • Adrvertise: tick
      • Press "OK"


The bridge interface will now have a IPV6 address from the "isp" pool:




Because we ticked "Advertise" in the router's LAN IPV6 address, all the devices on the LAN will receive Router Advertisements containing the IPV6 prefix and automatically configure themselves with a global IP address. Here are the results of an IPV6 test:



Someone needs to get TIME's engineers to register a reverse hostname lookup for all their IPV4 and IPV6 addresses.

IPV6 Firewall

When I first set up my RB4011, there were no default IPV6 Firewall rules, probably because the IPV6 package was initially disabled. But later, once the IPV6 package was enabled, after I reset the router to factory settings, there were default IPV6 rules in place. I've placed the commands to re-create the rules below:
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
If selecting "IPV6 → Firewall → Filter Rules → All" doesn't show any rules, the rules can be re-created by executing the above from a terminal.

These rules not just protect the external IPV6 IP, but also block forwarding of IPV6 packets to internal hosts. Without them, all the IPV6-enabled devices on your LAN are directly accessible from outside. This is unlike IPV4, where we use a private LAN address, which is "naturally" protected from the outside by being unroutable from the internet. With IPV6 all your internal devices are assigned a publicly routable ("global") IPV6 address from the assigned prefix. Which means that they are fully accessible from outside, i.e. anyone can ssh or access any port on your LAN devices if they know your IPV6 IP.

The "forward" rules above block external traffic from initiating connections to the LAN IPV6 addresses. The IPV6 enabled devices on the LAN can still access the Internet over IPV6, without any NAT, it's just that the Internet cannot access them over IPV6. This is probably the best way to do it for now.

I've not figured out a way on how to selectively allow IPV6 access to certain ports on certain devices on your LAN. Theoretically, a rule just needs to be added to "allow" connections to that address and port in the "forward" chain. The problem is that the IP address is part of the prefix that is assigned which is usually dynamic. So I'm not sure how you could create such a rule.

Google DNS + DNS Caching

To fully switch to Google DNS, I first had to disable using the peer (Time's) DNS servers. This is done by:

  • click "PPP" in the menu
    • Select the "pppoe-out1" Interface
      • Set "Use Peer DNS" : unticked
      • Click "Apply"



Next we can configure the IP addresses of Google's DNS servers:

  • Select "IP" → "DNS"
    • The "Dynamic Servers" should be blank
    • Type in "8.8.8.8" in the Servers field
    • Then click on the down arrow to create a second field, and enter "8.8.4.2" for that.
    • Press Apply.




Dynamic DNS (Cloud IP)

Mikrotik has their own implementation of a dynamic DNS, called "Cloud IP". It uses servers operated by mikrotik, and maps to a name containing your router's serial number + a fixed domain name.

To setup Cloud IP:

  • IP → Cloud
    • DDNS Enabled : Tick
    • DDNS Update Interval : no value
    • Update Time : tick



Once enabled the router will register a DNS name (based on your router's serial number) and the DNS name will be displayed. This name will always point to the most recent updated IP address of your router. An AAAA record is also registered to the IPV6 IP address on your WAN port.


If you have your own domain name, you can register a CNAME to this record to make it easier to remember.

The fact that it also maps an IPV6 DNS AAAA record is a bit of a problem for me, because I don't have my LAN virtual servers mapped to the routers IPV6 public IP yet (only on IPV4). So when I use clients that prefer IPV6 try to connect, they will hit the IPV6 IP of the router, and not be able to connect to the internal virtual server. I'd be interested in a solution for this. So for the mean time, I stick to using my DynDNS service, and only update an "A" record.


Port Forwarding

Port Forwarding is where you want to let a specific port on an internal server become accessible from the internet on a specific port.



To create a port forward from the public IPs external port 32410, to an internal IP 192.168.1.6 internal port 3240, I did:

  • "IP" → "Firewall" → "NAT"
  • "Add New Rule"
    • "This tells the router that any TCP traffic coming IN from the internet (via pppoe-out1) on port 32400 should follow this rule"
    • set Chain to "dstnat"
      • set Protocol to "tcp"
      • set Dst Port to "32400" (the external port, X)
      • Set the "In. Interface" to "ppoe-out1".




    • Scroll down to the "Action" tab and set the value to "dst-nat"
      • "This tells the router what to do when the rule above is matched"
      • Set the "To address" to the IP of the internal host
      • Set "To Ports" to 32400 (Port Y).
    • Click "Apply"




This port forward rule only maps external traffic to the internal site. If you have internal traffic to the internal site, but want to access it using the external IP address or Dynamic DNS name, you will need to add a NAT Loopback / Hairpin Nat for that service.

NAT Loopback / Hairpin NAT


NAT Loopback / Hairpin Net is needed if you have an internal server that you want to access from an internal client, but using the external IP / Dynamic DNS name. By default, the Port Forward only maps external traffic to the internal server. It doesn't know how to do a "U-turn" for internal traffic. If you want NAT loopback, you will have to set it up as below:

  • Add a "Hairpin NAT" rule to masquerade any traffic from the LAN to the LAN (This is a one time thing regardless of how many hairpin NATs you set up).
    • "IP" → "Firewall" → "NAT" → "Add New"
      • Set Chain to "srcnat"
      • Set "Src Address" to your LAN IP range, i.e. "192.168.1.0/24"
      • Set "Dst Address" to your LAN IP range, i.e. "192.168.1.0/24"
      • Set "Action" to "masquerade"
      • Set "Comment" to "Hairpin NAT"
      • Press "OK"
    • Drag the "Hairpin NAT" rule till it is at the top of the list of NAT rules.

  • Next you need to set up an "Address List" with the your WAN IP, if it is dynamic. This is a one-time thing regardless of how many hairpin NATs you set up.
    • Set up "Cloud IP" (see above)
    • "IP" → "Firewall" → "Address List"
      • Click "Add New"
        • Set "Name" to "WAN IP"
        • Set "Address" to your "Cloud IP" DNS Name

    • When you press "OK", a second entry will be made in the "Address Lists" window with the actual IP address of your WAN-IP at that time. This will refresh automatically. So you can refer to the Address List named "WAN-IP" to refer to your actual dynamic WAN IP at any time.



  • Next add the Port Forward entry, so external traffic connecting to Port X will be forwarded to Port Y on the internal IP. Unlike a standard Port Forward, we don't match the rule by the "In. Interface" but rather the "Dst. Address List" which we set to the WAN-IP. This way it captures not just external traffic pointing to the WAN IP, but also internal traffic.
    • "IP" → "Firewall" → "NAT" → "Add New"
      • set Chain to "dstnat"
        • set Protocol to "tcp"
        • set Dst Port to "80" (the external port, X)



        • Set the "Dst Address List" to "WAN-IP".
      • Scroll down to the "Action" tab and set the value to "dst-nat"
        • Set the "To address" to the IP of the internal host
        • Set "To Ports" to 8055 (Port Y).


  • Now you can access your internal host either using the public WAN IP / host name, regardless if you are connecting from the WAN or LAN.


Dynamic DNS (DynDNS)

There's no built-in support for updating DynDNS servers, so it needs to be done using a script. First I upload the script:

:global ddnsuser "theddnsusername"
:global ddnspass "theddnspassword"
:global theinterface "interfacename"
:global ddnshost blabla.dyndns.org
:global ipddns [:resolve $ddnshost];
:global ipfresh [ /ip address get [/ip address find interface=$theinterface ] address ]
:if ([ :typeof $ipfresh ] = nil ) do={
:log info ("DynDNS: No ip address on $theinterface .")
} else={
:for i from=( [:len $ipfresh] - 1) to=0 do={
:if ( [:pick $ipfresh $i] = "/") do={
:set ipfresh [:pick $ipfresh 0 $i];
}
}
:if ($ipddns != $ipfresh) do={
:log info ("DynDNS: IP-DynDNS = $ipddns")
:log info ("DynDNS: IP-Fresh = $ipfresh")
:log info "DynDNS: Update IP needed, Sending UPDATE...!"
:global str "/nic/update\?hostname=$ddnshost&myip=$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG"
/tool fetch address=members.dyndns.org src-path=$str mode=http user=$ddnsuser \
password=$ddnspass dst-path=("/DynDNS.".$ddnshost)
:delay 1
:global str [/file find name="DynDNS.$ddnshost"];
/file remove $str
:global ipddns $ipfresh
:log info "DynDNS: IP updated to $ipfresh!"
} else={
:log info "DynDNS: dont need changes";
}
}
If all went well, you should see an entry at the bottom of the "Log" as follows:



To have the script run automatically, an entry needs to be made in the scheduler:

  • "System" → "Scheduler"
    • Name: "Update DynDNS"
    • Start Time: "startup"
    • Interval: "00:01:00"
    • On Event "DynDNS Updater"
    • Click "OK"


Add Traffic Graphs

  • "IP" → "Cloud"
    • "Interface Rules"
      • "Add New"
        • Set Interface to "pppoe-out1"
        • Press "OK"


The graphs are accessible via the "graphs" menu entry:





Tips with working from the Command Line

  • To print the settings for a section (e.g. IPV6 firewall filters:
    • /ipv6 firewall filter print
  • To remove all the settings from a section (e.g. IPV6 firewall filters):
    • /ipv6 firewall filter remove [/ipv6 firewall filter find]
  • To dump all the settings from a section (e.g. IPV6 firewall filters):
    • /ipv6 firewall filter export
  • Set IP Address on an interface:
    • /ip address add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0

References