Mikrotik RouterOS

RouterOS is a router software package produced by the Latvian company Mikrotik. They also produce many different type of routers which use this firmware although an x86 version is also available.

Mikrotik CHR

The Cloud Hosted Router (CHR) is a disk-image intended for running the router as a virtual machine or on a VPS. While the disk image is useful for a local VM on hosted systems it can be non-trivial to attach an existing disk image to a VM. Alternatively the CHR can be installed from a live-disk shell by downloading the raw image and writing it to the disk. Beware though that by default the image has only a single interface configured with the default credentials set (admin/)

My install guide will be based on this medium article. By using the Arch Linux install ISO several of the steps are eliminated.

After booting the Arch Linux ISO, you are automatically logged in as root.

/tmp is already a tmpfs so cd into it and download the raw CHR image. Get the URL for this from https://www.mikrotik.com/download for the “Cloud Hosted Router” raw-image

cd /tmp
wget -O chr.img.zip https://download.mikrotik.com/routeros/6.46.5/chr-6.46.5.img.zip

Then extract the image and write it to the hard drive.

gunzip -c chr.img.zip > chr.img
dd if=chr.img of=/dev/sda bs=4M oflag=sync

The next step is optional but especially for web facing VMs it is important to set a password before the VM is exposed to the internet.

mount /dev/sda1 /mnt
cat "/user set 0 password=NEW-PASSWORD" > /mnt/rw/autorun.scr
umount /mnt

Since this is a functional live disk standard shutdown commands still work


Base Config

Since on CHR there is no default config for handling LAN and WAN networks a default config is needed, this sets up:

  • LAN and WAN interface lists
  • a LAN bridge
  • a firewall with NAT and WAN traffic dropped
  • a static LAN address
  • a DHCP client for WAN
  • a DHCP server for LAN
  • a DNS server for LAN
  • strong SSH crypto
  • mac-winbox access from LAN
  • detect internet on WAN

Most of this is set by default on Mikrotik routers, although this improves on SSH crypto and detect internet settings.

# for RouterOS 6.46.3
/interface bridge add name=bridge
/interface bridge port
add bridge=bridge interface=ether2
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related
add action=accept chain=forward comment= "accept established,related, untracked" \
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=" masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip address add address= interface=bridge network=
/ip pool add name=default-dhcp ranges=
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge lease-time=2h
/ip dhcp-server network add address= gateway=
/ip dhcp-client add disabled=no interface=ether1
/ip dns static add address= name=router.lan

/ip dns set allow-remote-requests=yes
/interface detect-internet set detect-interface-list=WAN
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip ssh set strong-crypto=yes
/system clock set time-zone-name=Europe/London
/system identity set name=MikroTik
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

There are some extra niceties which can be added through the scheduler, such as: