search
Page cover

Mikrotik RouterOS Hardening for your home internet connection

The price point of Mikrotik hAP devices are quite reasonable and fair compared to any major off the shelf brands like Netgear, TP-Link, D-Link, etc., Therefore, I have been deploying Mikrotik devices for friends and family for home internet connection. It is a kind of overkill for home router to be managed and maintained but there are many ways to do it properly if you know how to use the RouterOS. The Mikrotik Proarrow-up-right mobile app is one of the easy ways to remote access and administer the Mikrotik hAP devices.

Over the past couple of years, I have been researching and experimenting on how to secure the Mikrotik devices for the normal home users. So here is the best configuration I can think of to harden the Mikrotik hAP devices for home internet connections. I know that Mikrotik hAP devices come with default configuration out of the box but I guess it is not good enough.

hashtag
Prerequisites

  • Mikrotik RouterOS version 7.8

  • Basic level of comfortableness with Mikrotik RouterOS CLI

hashtag
Configuration

Here is the full configuraiton of Mikrotik hAP device with its hardening parts in it.

# Create LAN side bridge interface 
/interface bridge
add name=lan

# Name the ether1 as wan
/interface ethernet
set [ find default-name=ether1 ] name=wan

# Create lists for LAN and WAN so that it can referenced easily in other parts.
/interface list
add name=WAN
add name=LAN

# Create a wireless security profile for wifi SSID
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed \
    mode=dynamic-keys name=wifi wpa2-pre-shared-key="wifi-password"

# Configure the wifi SSID and its associated security profile
# Note that there are a few configs that need to be noticed
# First, antenna-gain is set to 0 for more efficient and long range wifi connection
# Second, the SSID is hidden for better security
# Third, installation is set to indoor and country is set to australia
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=20/40mhz-XX \
    country=australia disabled=no frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge security-profile=wifi \
    ssid=2ghz-wifi wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    country=australia disabled=no frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge security-profile=wifi \
    ssid=5ghz-wifi wireless-protocol=802.11
    
# Configure IP Pool and DHCP server for LAN side
/ip pool
add name=dhcp ranges=192.168.233.100-192.168.233.254
/ip dhcp-server
add address-pool=dhcp interface=lan name=dhcp1
/ip dhcp-server network
add address=192.168.233.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=192.168.233.1 netmask=24

# Configure PPPoE-client to authenticate against ISP server
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan name=pppoe-out1 \
    profile=default-encryption [email protected] password="passwd" \
    keepalive-timeout=10 add-default-route=yes default-route-distance=1 \
    dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2
    
# Add relevant interfaces to lan bridge
/interface bridge port
add bridge=lan ingress-filtering=no interface=ether2
add bridge=lan ingress-filtering=no interface=ether3
add bridge=lan ingress-filtering=no interface=ether4
add bridge=lan ingress-filtering=no interface=ether5
add bridge=lan ingress-filtering=no interface=wlan2
add bridge=lan ingress-filtering=no interface=wlan1

# Add relevant interfaces to interface list
/interface list member
add interface=wan list=WAN
add interface=lan list=LAN
add interface=pppoe-out1 list=WAN
    
# Configure interface IP addresses    
/ip address
add address=192.168.233.1/24 interface=lan network=192.168.233.0
add address=172.16.1.1/30 interface=wireguard1 network=172.16.1.0

# Disable default DHCP cleint config on ether1 or wan interface
/ip dhcp-client
add disabled=yes interface=wan

# Configure DNS 
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2

# Configure firewall filter rules
/ip firewall address-list
add address=192.168.233.0/24  list=lan
/ip firewall filter
add action=drop chain=input comment="drop invalid to router" connection-state=invalid
add action=drop chain=forward comment="drop invalid packets" connection-state=invalid
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established and related" connection-state=established,related
add action=accept chain=input comment="allow icmp from lan" protocol=icmp src-address-list=lan
add action=accept chain=input comment="allow winbox from lan" dst-port=8291 protocol=tcp src-address-list=lan
add action=accept chain=input comment="allow ssh from lan" dst-port=22 protocol=tcp src-address-list=lan
add action=accept chain=input comment="allow returning and related traffic" connection-state=established,related
add action=drop chain=input comment="drop all other input"
   
# Configure source NAT masquerade for the internet breakout 
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.233.0/24

# Disable the service ports not in use
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

# Disable the ip services not in use and restrict the source addresses for ssh and winbox
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.233.0/24,123.0.0.231/32
set api disabled=yes
set winbox address=192.168.233.0/24,123.0.0.231/32
set api-ssl disabled=yes

# Set the correct timezone 
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Darwin

# Set the system name
/system identity
set name=mtr01

# Set NTP client and configure with desired NTP servers IP
/system ntp client
set enabled=yes
/system ntp client servers
add address=129.250.35.250
add address=129.250.35.251

# To trigger a notification email upon startup in case of device rebooting
/system scheduler
add name=reboot_report on-event=":delay 60\r\
    \n/tool e-mail send [email protected] subject=\"mtr01: router has\
    \_been reboot at home!\" body=\"The mtr01 router has been r\
    eboot at home!\"" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup

# Disable bandwidth-server
/tool bandwidth-server
set enabled=no

# Configure SMTP server for emailing notification
/tool e-mail
set address=smtp.goodisp.com.au [email protected]

# Restrict the layer2 MAC-server access from LAN interface list only
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

# Monitor the internal host on LAN side with PING status
/tool netwatch
add disabled=no down-script="/tool e-mail send [email protected] subject=\
    \"srv01: PING is down at home!\" body=\"The srv01 host's PING is down at home!\"" \
    host=192.168.233.233 http-codes="" interval=30m test-script="" timeout=5s type=icmp up-script=""

As you can see in the above configuration, it can be secured by using firewall filter rule and disabling the unused services as well as automated to do some checks for internal devices in LAN and device reboot status. In fact, there are more interesting things you can do with Mikrotik built-in scripting engine for maintenance like updating the packages and upgrading the firmware at night.

PreviousMikrotik Use Cases - PPPoE, ECMP, Failover, Recursive Routing and WireGuardNextKali Linux with Vagrant for HTB

Last updated