Yes, you can use a Mikrotok with an NBN connection.
Here's how I hooked up my Mikrotik RB961G and routerOS version 6. My ISP is Internode, who also provide a native IPv6 subnet.
There wasn't a lot out there on getting the Mikrotik to work, particularly with IPv6 networking.
I thought I'd write it up for posterity. Incidentally, I pay a little more to Internode to get a business grade connection, with static IPV4 and IPv6 links. And Internode tech support to business customers is the very best.
The Mikrotik presents five ethernet interfaces. In the default configuration, Port 1 is expected to be the WAN gateway, and Ports 2 - 5 and wireless are bridged together to form the Internal LAN.
The NBN Fibre Connection box sits inside your house, and expects a PPPoE client, such as modem or your Mikrotik, to connect to the port "UNI-D 1" using a regular ethernet cable - Cat 5e is preferable.
The routerOS IPv6 package is not enabled by default. I had to enable it through the WebFig GUI, and reboot. Here's what my settings looked like after the reboot.
## Even though we have a fixed IP address, we still connect to Internode
## using the PPPoE client.
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1480\
max-mtu=1480 name=pppoe-out1 password=very-very-secret \
profile=default-encryption use-peer-dns=yes \
user=example.user.name@internode.on.net
The PPPoE client will set up my IPv4 static IP and default route each time it connects.
As per the PPPoE setting above, the much of this can be done using the Webfig quick set interface. However, the default firewall rules will be broken and need to be redone.
For completeness, I'm presenting the command line configs here as that is what I use.
## Use the default LAN subnet
/ip address
add address=192.168.88.1/24 comment="LAN address" interface=\
ether2-master-local network=192.168.88.0
## Provide a DHCP server to our LAN subnet
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=3d name=\
"LAN DHCP server"
/ip dhcp-server network
add address=192.168.88.0/24 comment="LAN address" dns-server=192.168.88.1 \
domain=int gateway=192.168.88.1 netmask=24
## Set up this router up as a caching DNS
/ip dns
set allow-remote-requests=yes servers=2001:4860:4860::8844
/ip dns static
add address=192.168.88.1 name=router
add address=127.0.0.1 name=vortex-win.data.microsoft.com
add address=127.0.0.1 name=settings-win.data.microsoft.com
Obviously, we need to include some traffic filtering on our Mikrotik to stop the black hats hacking into our router. Same goes for IPv6.
## Define RFC 1918 private addresses. We'll include broadcast addresses
## for convenience
/ip firewall address-list
add address=10.0.0.0/8 list="RFC 1918 Private"
add address=172.12.0.0/12 list="RFC 1918 Private"
add address=192.168.0.0/16 list="RFC 1918 Private"
add address=255.255.255.0 list="RFC 1918 Private"
add address=255.255.255.255 list="RFC 1918 Private"
## Define a second address list for known bad countries, such as China.
## (for demonstration purposes I've included only one subnet).
add address=223.240.0.0/13 list="Bad contries"
## Set up the firewall
/ip firewall filter
add chain=input comment="Allow Established Connections" connection-state=\
established
add chain=input comment="Allow Related Connections" connection-state=related
add chain=input comment=\
"Allow input from LAN, but only from RFC 1918 private addresses" \
in-interface=bridge-local src-address-list="RFC 1918 Private"
add action=tarpit chain=input comment="Tarpit known attackers" log-prefix=\
"Block tcp tarpit" protocol=tcp src-address-list=Tarpit
add action=drop chain=input log-prefix="Tarpit dropped" src-address-list=\
Tarpit
add chain=input comment=ICMP limit=100,200 protocol=icmp
add action=drop chain=input comment=Invalid connection-state=invalid \
in-interface=pppoe-out1
add action=add-src-to-address-list address-list=Tarpit address-list-timeout=\
1h chain=input comment="default configuration" in-interface=pppoe-out1 \
log=yes log-prefix="Adding to tarpit: " protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=Tarpit chain=input dst-port=\
53 in-interface=pppoe-out1 log=yes log-prefix="Add to tarpit" protocol=\
udp
add action=drop chain=input log-prefix="Final drop" src-address-list=\
"!RFC 1918 Private"
add chain=forward comment="Established Connections" connection-state=\
established
add chain=forward comment="Related Connections" connection-state=related
add chain=forward comment="New Connections" connection-state=new \
src-address-list="RFC 1918 Private"
add action=drop chain=forward comment="Invalid Connections" connection-state=\
invalid log-prefix="Blocked - Invalid"
add action=reject chain=forward comment=Default log=yes log-prefix=\
"Rejected forwarding : "
## Source NAT on the PPOE interface
/ip firewall nat
add action=masquerade chain=srcnat comment="Source NAT" out-interface=\
pppoe-out1 to-addresses=0.0.0.0
## Make sure only local users can log in to the Mikrotik router. SSH
## port altered to slow down the script kiddies.
/ip service
set telnet disabled=yes
set ftp address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set www address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set ssh address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 port=2222
set api disabled=yes
set winbox address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set api-ssl address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
Without further ado, here is the working example:
## Pick a low number out of your IPv6 subnet and assign it to the
## internal LAN. I've used the second address from my IPv6 subnet
## "2001:44b9:2143:8c00::/56"
/ipv6 address
add address=2001:44b9:2143:8c00::2 interface=ether2-master-local
## In order for Internode's routers to find us, we have to use
## the DHCP client over the PPOE interface. The pppoe-out1 interface
## is already established by the PPPOE client in the IPv4 section
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=ipv6-pool
## Set up a simple firewall. This presumes the bad guys are on the
## outside. A dangerous assumption, but good enough to get started.
/ipv6 firewall address-list
add address=2001:44b9:2143:8c00::/56 list=Local
add address=fe80::/16 list=Local
/ipv6 firewall filter
add chain=input comment="Router Accept established connections" \
connection-state=established
add chain=input comment="Router Accept related connections" \
connection-state=related
add chain=input comment="Router Allow IPv6 ICMP" protocol=icmpv6
add action=drop chain=input comment="Router Drop invalid connections" \
connection-state=invalid
add chain=input comment="Router- PPOE Client" dst-address=fe80::/32 dst-port=\
546 in-interface=pppoe-out1 protocol=udp src-address=fe80::/32 src-port=\
547
add chain=input comment="From Local addresses" connection-state=new \
src-address-list=Local
add action=drop chain=input comment="Router Drop other traffic"
add chain=forward comment="LAN Accept established Connections" \
connection-state=established
add chain=forward comment="LAN Accept related connections" connection-state=\
related
add chain=forward comment="LAN accept new connections" connection-state=new \
protocol=tcp src-address-list=Local
add chain=forward comment="LAN Accept UDP" protocol=udp
add chain=forward comment="LAN Accept ICMPv6 " protocol=icmpv6
add action=drop chain=forward comment="LAN Drop invalid Connections" \
connection-state=invalid
add action=log chain=forward comment="LAN Log everything else" log-prefix=\
"Log IPv6 dropped: "
add action=reject chain=forward comment="LAN Drop everything else" \
in-interface=pppoe-out1
## Configure IPv6 Neighbour discovery.
/ipv6 nd
set [ find default=yes ] advertise-dns=yes other-configuration=yes \
ra-lifetime=1h
add advertise-dns=yes interface=bridge-local other-configuration=yes \
ra-lifetime=1h reachable-time=30m retransmit-interval=15s
/ipv6 nd prefix
add autonomous=no interface=ether2-master-local
You should then be able to access an IPv6 testing site such as http://ipv6-test.com/ and get a positive result.
Thanks to Karl Auer for the pointers at this link: http://into6.com.au/?p=214
Keywords: Microtik, NBN, Internode, PPPoE, IPv6, IP6, Firewall
Here's how I hooked up my Mikrotik RB961G and routerOS version 6. My ISP is Internode, who also provide a native IPv6 subnet.
There wasn't a lot out there on getting the Mikrotik to work, particularly with IPv6 networking.
I thought I'd write it up for posterity. Incidentally, I pay a little more to Internode to get a business grade connection, with static IPV4 and IPv6 links. And Internode tech support to business customers is the very best.
Schematic
Here is a picture on what we want to achieve. The Mikrotik logs in to Internode using PPPoE via the NBN Fibre Connection box. It source-NAT IPv4 traffic from the LAN, while IPv6 traffic from the LAN is native.
The Mikrotik presents five ethernet interfaces. In the default configuration, Port 1 is expected to be the WAN gateway, and Ports 2 - 5 and wireless are bridged together to form the Internal LAN.
The NBN Fibre Connection box sits inside your house, and expects a PPPoE client, such as modem or your Mikrotik, to connect to the port "UNI-D 1" using a regular ethernet cable - Cat 5e is preferable.
Enabling IPv6
The routerOS IPv6 package is not enabled by default. I had to enable it through the WebFig GUI, and reboot. Here's what my settings looked like after the reboot.
PPPoE client:
Of course, you'll need to change the user and password values. You also can also do this quite efficiently through the Webfig quickset interface.## using the PPPoE client.
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1480\
max-mtu=1480 name=pppoe-out1 password=very-very-secret \
profile=default-encryption use-peer-dns=yes \
user=example.user.name@internode.on.net
The PPPoE client will set up my IPv4 static IP and default route each time it connects.
IPv4 config ("/ip export")
Now for the IPv4 part. Some of this is from the defaults so you might get some errors (which can be ignored) if you copy and paste the lines below indiscriminately.As per the PPPoE setting above, the much of this can be done using the Webfig quick set interface. However, the default firewall rules will be broken and need to be redone.
For completeness, I'm presenting the command line configs here as that is what I use.
/ip address
add address=192.168.88.1/24 comment="LAN address" interface=\
ether2-master-local network=192.168.88.0
## Provide a DHCP server to our LAN subnet
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=3d name=\
"LAN DHCP server"
/ip dhcp-server network
add address=192.168.88.0/24 comment="LAN address" dns-server=192.168.88.1 \
domain=int gateway=192.168.88.1 netmask=24
## Set up this router up as a caching DNS
/ip dns
set allow-remote-requests=yes servers=2001:4860:4860::8844
/ip dns static
add address=192.168.88.1 name=router
add address=127.0.0.1 name=vortex-win.data.microsoft.com
add address=127.0.0.1 name=settings-win.data.microsoft.com
Obviously, we need to include some traffic filtering on our Mikrotik to stop the black hats hacking into our router. Same goes for IPv6.
## Define RFC 1918 private addresses. We'll include broadcast addresses
## for convenience
/ip firewall address-list
add address=10.0.0.0/8 list="RFC 1918 Private"
add address=172.12.0.0/12 list="RFC 1918 Private"
add address=192.168.0.0/16 list="RFC 1918 Private"
add address=255.255.255.0 list="RFC 1918 Private"
add address=255.255.255.255 list="RFC 1918 Private"
## Define a second address list for known bad countries, such as China.
## (for demonstration purposes I've included only one subnet).
add address=223.240.0.0/13 list="Bad contries"
## Set up the firewall
/ip firewall filter
add chain=input comment="Allow Established Connections" connection-state=\
established
add chain=input comment="Allow Related Connections" connection-state=related
add chain=input comment=\
"Allow input from LAN, but only from RFC 1918 private addresses" \
in-interface=bridge-local src-address-list="RFC 1918 Private"
add action=tarpit chain=input comment="Tarpit known attackers" log-prefix=\
"Block tcp tarpit" protocol=tcp src-address-list=Tarpit
add action=drop chain=input log-prefix="Tarpit dropped" src-address-list=\
Tarpit
add chain=input comment=ICMP limit=100,200 protocol=icmp
add action=drop chain=input comment=Invalid connection-state=invalid \
in-interface=pppoe-out1
add action=add-src-to-address-list address-list=Tarpit address-list-timeout=\
1h chain=input comment="default configuration" in-interface=pppoe-out1 \
log=yes log-prefix="Adding to tarpit: " protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=Tarpit chain=input dst-port=\
53 in-interface=pppoe-out1 log=yes log-prefix="Add to tarpit" protocol=\
udp
add action=drop chain=input log-prefix="Final drop" src-address-list=\
"!RFC 1918 Private"
add chain=forward comment="Established Connections" connection-state=\
established
add chain=forward comment="Related Connections" connection-state=related
add chain=forward comment="New Connections" connection-state=new \
src-address-list="RFC 1918 Private"
add action=drop chain=forward comment="Invalid Connections" connection-state=\
invalid log-prefix="Blocked - Invalid"
add action=reject chain=forward comment=Default log=yes log-prefix=\
"Rejected forwarding : "
## Source NAT on the PPOE interface
/ip firewall nat
add action=masquerade chain=srcnat comment="Source NAT" out-interface=\
pppoe-out1 to-addresses=0.0.0.0
## Make sure only local users can log in to the Mikrotik router. SSH
## port altered to slow down the script kiddies.
/ip service
set telnet disabled=yes
set ftp address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set www address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set ssh address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 port=2222
set api disabled=yes
set winbox address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set api-ssl address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
IPv6 config ("/ipv6 export")
The IPv6 configuration was a the part that took the time to get right. I spent a few nights trying to figure out why it IPv6 initially worked and then stopped working, which was very frustrating.Without further ado, here is the working example:
## Pick a low number out of your IPv6 subnet and assign it to the
## internal LAN. I've used the second address from my IPv6 subnet
## "2001:44b9:2143:8c00::/56"
/ipv6 address
add address=2001:44b9:2143:8c00::2 interface=ether2-master-local
## In order for Internode's routers to find us, we have to use
## the DHCP client over the PPOE interface. The pppoe-out1 interface
## is already established by the PPPOE client in the IPv4 section
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=ipv6-pool
## Set up a simple firewall. This presumes the bad guys are on the
## outside. A dangerous assumption, but good enough to get started.
/ipv6 firewall address-list
add address=2001:44b9:2143:8c00::/56 list=Local
add address=fe80::/16 list=Local
/ipv6 firewall filter
add chain=input comment="Router Accept established connections" \
connection-state=established
add chain=input comment="Router Accept related connections" \
connection-state=related
add chain=input comment="Router Allow IPv6 ICMP" protocol=icmpv6
add action=drop chain=input comment="Router Drop invalid connections" \
connection-state=invalid
add chain=input comment="Router- PPOE Client" dst-address=fe80::/32 dst-port=\
546 in-interface=pppoe-out1 protocol=udp src-address=fe80::/32 src-port=\
547
add chain=input comment="From Local addresses" connection-state=new \
src-address-list=Local
add action=drop chain=input comment="Router Drop other traffic"
add chain=forward comment="LAN Accept established Connections" \
connection-state=established
add chain=forward comment="LAN Accept related connections" connection-state=\
related
add chain=forward comment="LAN accept new connections" connection-state=new \
protocol=tcp src-address-list=Local
add chain=forward comment="LAN Accept UDP" protocol=udp
add chain=forward comment="LAN Accept ICMPv6 " protocol=icmpv6
add action=drop chain=forward comment="LAN Drop invalid Connections" \
connection-state=invalid
add action=log chain=forward comment="LAN Log everything else" log-prefix=\
"Log IPv6 dropped: "
add action=reject chain=forward comment="LAN Drop everything else" \
in-interface=pppoe-out1
## Configure IPv6 Neighbour discovery.
/ipv6 nd
set [ find default=yes ] advertise-dns=yes other-configuration=yes \
ra-lifetime=1h
add advertise-dns=yes interface=bridge-local other-configuration=yes \
ra-lifetime=1h reachable-time=30m retransmit-interval=15s
/ipv6 nd prefix
add autonomous=no interface=ether2-master-local
You should then be able to access an IPv6 testing site such as http://ipv6-test.com/ and get a positive result.
Thanks to Karl Auer for the pointers at this link: http://into6.com.au/?p=214
Keywords: Microtik, NBN, Internode, PPPoE, IPv6, IP6, Firewall
Is there any chance of getting the phone to work too? Would be very interested if it's possible.
ReplyDeleteUse a LINKSYS PAP2T-NA SIP VOIP Phone Adapter. They are about $25 dollars plug an ethernet into your router and connect to it, setup your sip account, you can get the details from internode
Delete