Scribd
Upload
482 views18 pages

Mikrotik CLI

Mikrotik CLI commands are similar to Linux commands as Mikrotik uses a Linux kernel. TAB autocompletion makes it easy to enter long commands without typing the full command. The document then provides instructions on viewing available commands with ?, renaming interfaces, changing the password and hostname, configuring IP addresses, gateway, NAT, DNS servers and setting up a DHCP server to assign IP addresses to clients on the network.

Uploaded by

ino
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
482 views18 pages

Mikrotik CLI

Mikrotik CLI commands are similar to Linux commands as Mikrotik uses a Linux kernel. TAB autocompletion makes it easy to enter long commands without typing the full command. The document then provides instructions on viewing available commands with ?, renaming interfaces, changing the password and hostname, configuring IP addresses, gateway, NAT, DNS servers and setting up a DHCP server to assign IP addresses to clients on the network.

Uploaded by

ino
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Mikrotik CLI

Mikrotik command actually almost the same as the existing command linux, mikrotik
because basically this is a Linux kernel, the result of processing back from the Debian
distribution of Linux. Use the same command shell, such as saving the command, simply use
the TAB key on the keyboard then a long command, no longer need to be typed, simply type
the beginning of the command is called, will automatically display the Shell will own
commands respect. For example IP ADDRESS command in mikrotik. Enough just type in
the IP ADD spaced press the TAB key, then the automatic shell will recognize and translate
the IP ADDRESS command.
Let us continue with the introduction of this command.

untuk melihat semua list perintah anda bisa ketik ? dan hasil nya akan muncul seperti di
bawah ini

[admin@MikroTik] > ?
beep -blink -certificate -- Certificate management
delay -- does nothing for a while
do -- executes command
driver -- Driver management
environment -- list of all variables
error -- make error value
execute -- run script as separate console job
file -- Local router file storage.
find -- Find items by value
for -- executes command for a range of integer values
foreach -- executes command for every element in a list
global -- set value global variable
if -- executes command if condition is true
import -interface -ip -- IP options

led -len -- return number of elements in value


local -- set value of local variable
log -- System logs
metarouter -mpls -nothing -- do nothing and return nothing
parse -- build command from text
password -- Change password
pick -- return range of string characters or array values
ping -- Send ICMP Echo packets
port -- Serial ports
ppp -- Point to Point Protocol
put -- prints argument on the screen
queue -- Bandwidth management
quit -- Quit console
radius -- Radius client settings
redo -- Redo previously undone action
resolve -- perform a dns lookup of domain name
routing -set -- Change item properties
setup -- Do basic setup of system
snmp -- SNMP settings
special-login -- Special login users
store -system -- System information and utilities
terminal -- commands related to terminal handling
time -- returns time taken by command to execute
toarray -- convert argument to array value
tobool -- convert argument to truth value
toid -- convert argument to internal number value
toip -- convert argument to IP address value
toip6 -- convert argument to IPv6 address value
tonum -- convert argument to integer number value
tool -- Diagnostics tools
tostr -- convert argument to string value
totime -- convert argument to time interval value
typeof -- return type of value
undo -- Undo previous action
user -- User management
while -- executes command while condition is true
export -- Print or save an export script that can be used to restore configuration
[admin@MikroTik] >
Lanjut......
1. Looking at the condition of the interface on Router Mikrotik
[Admin @ MikroTik]> interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
[Admin @ MikroTik]>
If there is an X interface (disabled) after the number (0.1), then check again etherned card,
should be R (running).

a. Renaming interface
[Admin @ MikroTik]> interface (enter)
b. To rename a Public Interface ether1 (or whatever his name), then
[Admin @ MikroTik] interface> set 0 name = Public
c. Likewise for ether2, say his name changed to Local, then
[Admin @ MikroTik] interface> set 1 name = Local
d. or just from the position of the root directory, use the sign "/", without quotes
[Admin @ MikroTik]> / interface set 0 name = Public
e. Check again if the interface name had been changed.
[Admin @ MikroTik]> / interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R Local ether 0 0 1500
1 R Public ether 0 0 1500
2. - Change the default password
To change the default password security
[Admin @ Mikrotik]> password
old password: *****
New password: *****
Retype new password: *****
[Admin @ Mikrotik]]>
3. - Renaming hostname
Renaming Mikrotik Router for easy configuration, in this step
server name will be changed to "myrouter"
[Admin @ MikroTik]> system identity set name = myrouter
[Admin @ myrouter]>
4. - Setting the IP Address, Gateway, and Name Server Masqureade
- [4.1] - IP Address
Order form configuration
ip address add address = {ip address / netmask} interfaces = {interface name}
a. Provides the IP address on the interface Mikrotik. Public suppose we will use to
connection to the Internet with IP 192.168.1.2 and the Local will be used for the LAN network
us with the IP 192.168.0.30 (See topology)
[Admin @ myrouter]> ip address add address = 192.168.1.2 \
netmask = 255.255.255.0 interface = Public comment = "IP to the Internet"
[Admin @ myrouter]> ip address add address = 192.168.0.30 \
netmask = 255 255 255 224 interface = Local comment = "IP to the LAN"
b. Viewing the IP address configuration we have given
[Admin @ myrouter]> ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE

0;;; IP Address to the Internet


192.168.0.30/27 192.168.0.0 192.168.0.31 Local
1;;; IP Address to the LAN
192.168.1.2/24 192.168.0.0 192.168.1.255 Public
[Admin @ myrouter]>
- [4.2] - Gateway
Forms Configuration Commands
ip route add gateway = {ip gateway}
a. Providing default gateway, the gateway to the internet connection is assumed is
192.168.1.1
[Admin @ myrouter]> / ip route add gateway = 192.168.1.1
b. Viewing the routing table on MikroTik Routers
[Admin @ myrouter]> ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE PREFSRC
0 ADC 192.168.0.0/24 192.168.0.30 Local
1 ADC 192.168.0.0/27 192.168.1.2 Public
2 A S 0.0.0.0 / 0 r 192.168.1.1 Public
[Admin @ myrouter]>
c. Ping test to the Gateway to ensure the configuration is correct
[Admin @ myrouter]> ping 192.168.1.1
192.168.1.1 64 byte ping: ttl = 64 time <1 ms 192.168.1.1 64 byte ping: ttl = 64 time <1
ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min / avg / max =
0/0.0/0 ms [Admin @ myrouter]>
- [4.3] - NAT (Network Address Translation)
Forms Configuration Commands
ip firewall nat add chain = srcnat action = masquerade out-inteface = {ethernet
are directly connected to the Internet or Public}
a. Setup Masquerading, if Mikrotik will we use as a gateway server so that
client computer on the network can connect to the internet we need to masquerading.
[Admin @ myrouter]> ip firewall nat add chain = scrnat out-interface = Public action =
masquerade
[Admin @ myrouter]>
b. Look at the configuration Masquerading
[Admin @ myrouter] ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = Public action = masquerade
[Admin @ myrouter]>
- [4.4] Name servers

Forms Configuration Commands


ip dns set primary-dns = {primary} secondary-dns dns dns = {second}
a. Setup DNS on Mikrotik Routers, eg DNS with Ip Addressnya
Primary = 202.134.0.155, Secondary = 202.134.2.5
[Admin @ myrouter]> ip dns set primary-dns = 202.134.0.155 allow-remoterequests = yes
[Admin @ myrouter]> ip dns set secondary-dns = 202.134.2.5 allow-remoterequests = yes
b. Viewing the configuration control
[Admin @ myrouter]> ip dns print
primary-dns: 202.134.0.155
secondary-dns: 202.134.2.5
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 16KiB
[Admin @ myrouter]>
c. Tests for the access domain, for example with ping domain name
[Admin @ myrouter]> ping yahoo.com
216 109 112 135 64 byte ping: ttl = 48 time = 250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min / avg / max = 571/571.0/571 ms
[Admin @ myrouter]>
If you have successfully reply mean DNS settings are correct.
After this step can be done to check the connection from the local network. And if
means we have successfully managed to install Mikrotik Router as a Gateway
server. After connecting with Mikrotik network can be managed using the WinBox
can be downloaded from the server mikrotik Mikrotik.com or from us. Eg Ip address server
mikrotik we 192.168.0.30, via a browser open http://192.168.0.30. In the Browser will be
displayed
in a web form with multiple menus, search and download text Download WinBox from there.
Save on the local hard drive. Winbox Run, enter the IP address, username and password.
5. - DHCP Server
DHCP stands for Dynamic Host Configuration Protocol, which is a program that
allows setting the IP Address on a network performed on a centralized server,
so the PC Client does not need to configure IP Address. DHCP allows an administrator
for addressing the ip address for the client.
Form of configuration commands
ip dhcp-server setup
dhcp server interfaces = {interface used}
dhcp server space = {network that will be in dhcp}
gateway for dhcp network = {ip gateway}
address to give out ip address = {range}
dns servers = {server name}
lease time = {} of the lease granted

If we want the client get IP address automatically then we need to setup


dhcp server on the Mikrotik. Here are the steps:
a. Add the IP address pool
/ Ip pool add name = dhcp-pool ranges = 192.168.0.1-192.168.0.30
b. Add a DHCP Network and gateway that will be distributed to the client.
In this example networknya gateway is 192.168.0.0/27 and 122.168.0.30
/ Ip dhcp-server network add address = 192.168.0.0/27 gateway = 192.168.0.30 dns-server
= 192.168.0.30 \
comment = ""
c. Add a DHCP server (in this example applied to the Local interface dhcp)
/ Ip dhcp-server add interface = local address-pool = dhcp-pool
d. Check the status of the DHCP server
[Admin @ myrouter]> ip dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
Local 0dhcp1
X states that the DHCP server has not enabled it is necessary first dienablekan
previously in step e.
e. Do not Forget made first enable dhcp server
/ Ip dhcp-server enable 0
then check back to the dhcp-server such as step 4, if X has no meaning
already active
f. Tests From the client
For example:
D: \> ping www.yahoo.com
6.- Transparent Proxy Server
Proxy server is a program that can speed up access to a web
that have been accessed by another computer, because it was in the store in
caching proxy server.Transparent profitable in client management,
because system administrators do not need to setup a proxy in
each client computer's browser for the automatic redirection is performed on the
server.
Form of configuration commands:
a. Web proxy settings:
- Ip proxy set enabled = yes
port = {port that will be used}
maximal-client-connections = 1000
maximal-server-connections = 1000
- Ip proxy direct add src-address = {network that will be

NAT} action = allow


- Ip web-proxy set parent-proxy = {proxy parent / optional}
hostname = {hostname for the proxy / optional}
port = {port that will be used}
src-address = {address will be used for connection
to the parent proxy / default 0.0.0.0}
transparent-proxy = yes
max-object-size = {maximum size file to be saved
as a cache / default 4096 in Kilobytes}
max-cache-size = {maximum size hard drive that will
used as a storage cache file / unlimited
| None | 12 in megabytes}
cache-administrator = {email administrator that will be used
if a proxy error, the status will be sent
to email}
enable == yes
Sample configuration
------a. Web proxy settings
/ Ip web-proxy
set enabled = yes src-address = 0.0.0.0 port = 8080 \
hostname = "proxy.myrouter.com" transparent-proxy = yes \
parent-proxy = 0.0.0.0:0 cache-administrator = "[email protected]" \
max-object-size = 131072KiB cache-drive = system max-cache-size = unlimited \
max-ram-cache-size = unlimited
Nat Redirect, the rule should be added to deflect REDIRECTING
HTTP traffic to the WEB-PROXY.
b. Setting for Transparant proxy firewall
Form of configuration commands:
ip firewall nat add chain = dstnat
protocol = tcp
dst-port = 80
action = redirect
to-ports = {proxy port}
The command:
--------------------------/ Ip firewall nat
add chain = dstnat protocol = tcp dst-port = 80 action = redirect to-ports = 8080 \
comment = "" disabled = no
add chain = dstnat protocol = tcp dst-port = 3128 action = redirect to-ports = 8080 \
comment = "" disabled = no
add chain = dstnat protocol = tcp dst-port = 8000 action = redirect to-ports = 8080 \
--------------------------above command is intended, so that all traffic to Port 80,3128,8000
deflected toward the port 8080 is a Web-Proxy port.
NOTE:

Command
/ Ip web-proxy print {to see the results of a web-proxy configuration}
/ Ip web-proxy monitor for monitoring the work {web-proxy}
7. - Bandwidth Management
QoS plays an important role in terms of providing services good on the client. For that we
need the bandwidth management for each data set is passed, so the division of bandwidth
into fair. In this case also includes a packet RouterOS software for memanagement
bandwidth.
Form of configuration commands:
queue simple add name = {name}
target-addresses = {ip address of the destination}
interfaces = {interface used to pass data}
max-limit = {out / in}
Below there is a configuration of traffic shaping or bandwidth management with Simple
Queue method, as the name implies, this type of queue is simple, but has a weakness,
sometimes leak bandwidth or bandwidth is not real in the monitor. Usage for 10 clients,
Queue type is not a problem.
Client is assumed there are as many as 15 clients, and each client was given ration of 8kbps
minimum bandwidth, and a maximum of 48kbps. Whereas Total bandwidth of 192Kbps. For
the upstream is not given a rule, means each client can use the bandwidth uptream
maximum. Note the priority command, the range of priority in Mikrotik eight. Means from 1
to 8, priority 1 is highest priority, while priority 8 is the lowest priority.
The following example kongirufasinya.
--------------------------/ Queue simple
add name = "trafikshaping" target-addresses = 192.168.0.0/27 dst-address = 0.0.0.0 / 0 \
interface = all parent = none priority = 1 queue = default / default \
limit-at = 0 / 64 000 max-limit = 0 / 192 000 total-queue = default disabled = no
add name = "01" target-addresses = 192.168.0.1/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "02" target-addresses = 192.168.0.2/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "03" target-addresses = 192.168.0.3/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "04" target-addresses = 192.168.0.4/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "10" target-addresses = 192.168.0.25/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "05" target-addresses = 192.168.0.5/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "06" target-addresses = 192.168.0.6/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "07" target-addresses = 192.168.0.7/32 dst-address = 0.0.0.0 / 0 \

interface = all parent = trafikshaping priority = 1 queue = default / default \


limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "08" target-addresses = 192.168.0.8/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "09" target-addresses = 192.168.0.9/32 dst-address = 0.0.0.0 / 0 \
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "10" target-addresses = 192.168.0.10/32 dst-address = 0.0.0.0 / 0
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "11" target-addresses = 192.168.0.11/32 dst-address = 0.0.0.0 / 0
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "12" target-addresses = 192.168.0.12/32 dst-address = 0.0.0.0 / 0
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "13" target-addresses = 192.168.0.13/32 dst-address = 0.0.0.0 / 0
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "14" target-addresses = 192.168.0.14/32 dst-address = 0.0.0.0 / 0
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no
add name = "15" target-addresses = 192.168.0.15/32 dst-address = 0.0.0.0 / 0
interface = all parent = trafikshaping priority = 1 queue = default / default \
limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no

The command above because in the form of the command line, can also copy paste, then
paste it into the consol mikrotiknya. remember see first path or active directory. Please
dipaste course, if the position
direktorynya in Root.
----------------------Terminal vt102 detected, using multiline input mode
[Admin @ MikroTik]>
---------------------Another option is the method of bandwidth management, if if wanted bandwidth is shared
equally by Mikrotik, such as bandwidth 256kbps downstream and 256kbps upstream. While
the client will
access as many as 10 clients, each client automatically gets a small upstream and
downstream bandwidth of 256kbps divided by 10. So each one can be 25.6 kbps. If only 2
Client who access it each can be 128kbps.
For that type used PCQ (Per Connection Queue), which can be automatically divide the traffic
per client. About the type of queue in mikrotik This can be read on the manual in
http://www.mikrotik.com/testdocs/
ros/2.9/root/queue.php.
Previously need to be made a rule in the mangle. Such as:
----------------------/ Ip firewall mangle add chain = forward src-address = 192.168.0.0/27 \
action = mark-connection new-connection-mark = users-con
/ Ip firewall mangle add connection-mark = users-con action = mark-packet \
new-packet-mark = users chain = forward
------------------------

Because type PCQ does not exist, then it needs to be added, there are two types of this PCQ.
First named pcq-download, which will regulate all traffic through the destination address /
destination address. Traffic is passing Local interface. So that all traffic download /
downstream coming from the network 192.168.0.0/27 will be shared automatically.
PCQ second type, called pcq-upload, to regulate all upstream traffic derived from the source
address / source address. Traffic is passing public interface. So that all traffic upload /
upstream originating from the network 192.168.0.0/27 will be shared automatically.
Command:
------------------------/ Queue type add name = pcq-download kind = pcq pcq-classifier = dst-address
/ Queue type add name = pcq-upload kind = pcq pcq-classifier = src-address
------------------------Once the rules for the PCQ and Mangle added, now for the rules traffic division. Queue
Queue Tree is used, ie:
------------------------/ Queue tree add parent = Local queue = pcq-download packet-mark = users
/ Queue tree add parent = Public queue = pcq-upload packet-mark = users
------------------------The command above assumes that if the bandwidth received from the provider Internet
berflukstuasi or changing. If we believe that the bandwidth received, for example can
256kbs downstream, and 256kbps upstream, then No more rules, such as:
For downstream traffic:
-----------------------/ Queue tree add name = Download parent = Local max-limit = 256k
/ Queue tree add parent = Download queue = pcq-download packet-mark = users
------------------------And upstream traffic:
------------------------/ Queue tree add name = Upload parent = Public max-limit = 256k
/ Queue tree add parent = Upload queue = pcq-upload packet-mark = users
------------------------8. - MRTG Monitor via Web
This facility is necessary for monitoring traffic in the form of graphs, can viewed using a
browser. MRTG (The Multi Router Traffic Grapher) has dibuild such a way that allows us to
use it. Already available packaged basically.
Example configuration
------------------------/ Tool graphing
set store-every = 5min
/ Tool graphing interface
add interface = all allow-address = 0.0.0.0 / 0 store-on-disk = yes disabled = no
------------------------The above command will display a graph of the traffic that passes through the interface
good network of Public Interface and Local Interface, which rendered every 5 minutes.
Addresses can also be set anything that can access MRTG is, the allow-address parameter.
9. - Security in Mikrotik

After some configuration above has been prepared, of course not forgetting our consider the
security of this mikrotik gateway machine, there are few facilities used. In this case will be
discussed on the firewall. Facilities
The underlying this firewall is similar to IP TABLES on Gnu / Linux only some commands have
been simplified but efficient.
In Mikrotik firewall command is contained in IP mode, ie
[Admin @ myrouter]> / ip firewall
There are several packet filters like mangle, nat, and filters.
------------------------[Admin @ myrouter] ip firewall>?
Firewall allows IP packet filtering on per packet basis.
.. - Go up to the ip
mangle / - The packet marking management
nat / - Network Address Translation
connection / - Active Connections
filter / - Firewall filters
address-list / service-port / - Service port management
export ------------------------For this time we will see the ip firewall filter configuration.
Because the breadth of the firewall filter parameters for the discussion of Firewall Filters can
be seen in the manual mikrotik, in http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php
Configuration below can block some of the Trojan, Virus, Backdoor which have been
identified previously used either Port Numbers and Protocols. It has also been configured to
withstand the flooding of the Network and Public Local network. As well as providing rules for
access control in order, Range only certain tissues that can perform remote or access the
service Mikrotik specific to our machine.
Sample Application filter
-------------------------/ Ip firewall filter
add chain = input connection-state = invalid action = drop comment = "Drop Invalid \
connections "disabled = no
add chain = input src-address =! 192.168.0.0/27 protocol = tcp src-port = 1024-65535 \
dst-port = 8080 action = drop comment = "Block to Proxy" disabled = no
add chain = input protocol = udp dst-port = 12667 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 27665 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 31335 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 27444 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 34555 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = udp dst-port = 35555 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 27444 action = drop comment = "trinoo" \

disabled = no
add chain = input protocol = tcp dst-port = 27665 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 31335 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 31846 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 34555 action = drop comment = "trinoo" \
disabled = no
add chain = input protocol = tcp dst-port = 35555 action = drop comment = "trinoo" \
disabled = no
add chain = input connection-state = established action = accept comment = "Allow \
Established connections "disabled = no
add chain = input protocol = udp action = accept comment = "Allow UDP" disabled = no
add chain = input protocol = icmp action = accept comment = "Allow ICMP" disabled = no
add chain = input src-address = 192.168.0.0/27 action = accept comment = "Allow access \
to router from known network "disabled = no
add chain = input action = drop comment = "Drop anything else" disabled = no
add chain = forward protocol = tcp connection-state = invalid action = drop \
comment = "drop invalid connections" disabled = no
add chain = forward connection-state = established action = accept comment = "allow \
already established connections "disabled = no
add chain = forward connection-state = related action = accept comment = "allow \
related connections "disabled = no
add chain = forward src-address = 0.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward dst-address = 0.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward src-address = 127.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward dst-address = 127.0.0.0 / 8 action = drop comment = "" disabled = no
add chain = forward src-address = 224.0.0.0 / 3 action = drop comment = "" disabled = no
add chain = forward dst-address = 224.0.0.0 / 3 action = drop comment = "" disabled = no
add chain = forward protocol = tcp action = jump jump-target = tcp comment = "" \
disabled = no
add chain = forward protocol = udp action = jump jump-target = udp comment = "" \
disabled = no
add chain = forward protocol = icmp action = jump jump-target = icmp comment = "" \
disabled = no
add chain = tcp protocol = tcp dst-port = 69 action = drop comment = "deny TFTP" \
disabled = no
add chain = tcp protocol = tcp dst-port = 111 action = drop comment = "deny RPC \
portmapper "disabled = no
add chain = tcp protocol = tcp dst-port = 135 action = drop comment = "deny RPC \
portmapper "disabled = no
add chain = tcp protocol = tcp dst-port = 137-139 action = drop comment = "deny NBT" \
disabled = no
add chain = tcp protocol = tcp dst-port = 445 action = drop comment = "deny cifs" \
disabled = no
add chain = tcp protocol = tcp dst-port = 2049 action = drop comment = "deny NFS" \
disabled = no
add chain = tcp protocol = tcp dst-port = 12345-12346 action = drop comment = "deny \
NetBus "disabled = no
add chain = tcp protocol = tcp dst-port = 20034 action = drop comment = "deny NetBus" \
disabled = no
add chain = tcp protocol = tcp dst-port = 3133 action = drop comment = "deny \
BackOriffice "disabled = no
add chain = tcp protocol = tcp dst-port = 67-68 action = drop comment = "deny DHCP" \
disabled = no
add chain = udp protocol = udp dst-port = 69 action = drop comment = "deny TFTP" \
disabled = no

add chain = udp protocol = udp dst-port = 111 action = drop comment = "deny PRC \
portmapper "disabled = no
add chain = udp protocol = udp dst-port = 135 action = drop comment = "deny PRC \
portmapper "disabled = no
add chain = udp protocol = udp dst-port = 137-139 action = drop comment = "deny NBT" \
disabled = no
add chain = udp protocol = udp dst-port = 2049 action = drop comment = "deny NFS" \
disabled = no
add chain = udp protocol = udp dst-port = 3133 action = drop comment = "deny \
BackOriffice "disabled = no
add chain = input protocol = tcp psd = 21.3 s, 3.1 action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w comment = "Port \
scanners to list "disabled = no
add chain = input protocol = tcp tcp-flags = fin,! syn,! rst,! PSH,! ack,! URG \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "NMAP FIN Stealth scan" disabled = no
add chain = input protocol = tcp tcp-flags = fin, syn action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w comment = "SYN / FIN \
scan "disabled = no
add chain = input protocol = tcp tcp-flags = syn, rst action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w comment = "SYN / RST \
scan "disabled = no
add chain = input protocol = tcp tcp-flags = FIN, PSH, URG,! syn,! rst,! ack \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "FIN / PSH / URG scan" disabled = no
add chain = input protocol = tcp tcp-flags = fin, syn, rst, PSH, ACK, URG \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "ALL / ALL scan" disabled = no
add chain = input protocol = tcp tcp-flags =! fin,! syn,! rst,! PSH,! ack,! URG \
action = add-src-to-address-list address-list = "port scanners" \
address-list-timeout = 2w comment = "NMAP NULL scan" disabled = no
add chain = input src-address-list = "port scanners" action = drop comment = "dropping \
port scanners "disabled = no
add chain = icmp protocol = icmp icmp-options = 0:0 action = accept comment = "drop \
invalid connections "disabled = no
add chain = icmp protocol = icmp icmp-options = 3:0 action = accept comment = "allow \
established connections "disabled = no
add chain = icmp protocol = icmp icmp-options = 3:1 action = accept comment = "allow \
already established connections "disabled = no
add chain = icmp protocol = icmp icmp-options = 4:0 action = accept comment = "allow \
source quench "disabled = no
add chain = icmp protocol = icmp icmp-options = 8:0 action = accept comment = "allow \
echo request "disabled = no
add chain = icmp protocol = icmp icmp-options = 11:0 action = accept comment = "allow \
time exceed "disabled = no
add chain = icmp protocol = icmp icmp-options = 12:0 action = accept comment = "allow \
parameter bad "disabled = no
add chain = icmp action = drop comment = "deny all other types" disabled = no
add chain = tcp protocol = tcp dst-port = 25 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = udp dst-port = 25 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = tcp dst-port = 110 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = udp dst-port = 110 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no
add chain = tcp protocol = udp dst-port = 110 action = reject \
reject-with = icmp-network-unreachable comment = "smtp" disabled = no

-------------------------- [10/01] - Service and Viewing the Active Service with PortScanner
To ensure that any active service in Machine mikrotik, we need to scan to a specific port, if
there are services that are not needed, better off alone.
To disable and enable servise, the command is:
We verify what services are active
---------------------------[Admin @ myrouter]> ip service
[Admin @ myrouter] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
X 0 telnet 23 0.0.0.0 / 0
1 ftp 21 0.0.0.0 / 0
2 www 80 0.0.0.0 / 0
3 ssh 22 0.0.0.0 / 0
4 www-ssl 443 0.0.0.0 / 0 none
[Admin @ myrouter]ip service>
---------------------------Suppose the FTP service is disabled, ie in the above list is located at
number 1 (see Flags) then:
--------------------------[Admin @ myrouter] ip service> set 1 disabled = yes
--------------------------We need to check again,
--------------------------[Admin @ myrouter] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
X 0 telnet 23 0.0.0.0 / 0
1 X ftp 21 0.0.0.0 / 0
2 www 80 0.0.0.0 / 0
3 ssh 22 0.0.0.0 / 0
4 www-ssl 443 0.0.0.0 / 0 none
[Admin@myrouter] ip service>
--------------------------Now the FTP service has been disabled.
Using nmap tool we can check what ports are active on the machine
gateway has been configured.
Command: nmap-vv-sS-sV-P0 192.168.0.30
Results:
----------------------------Starting Nmap 4.20 (http://insecure.org) at 2007-04-04 19:55 SE Asia Standard Time
Initiating ARP Ping Scan at 19:55
Scanning 192.168.0.30 [1 port]

Completed ARP Ping Scan at 19:55, 0.31s elapsed (1 total hosts)


Initiating Parallel DNS resolution of 1 host. at 19:55
Completed Parallel DNS resolution of 1 host. at 19:55, 0.05s elapsed
Initiating SYN Stealth Scan at 19:55
Scanning 192.168.0.30 [1697 ports]
Discovered open port 22/tcp on 192.168.0.30
Discovered open port 53/tcp on 192.168.0.30
Discovered open port 80/tcp on 192.168.0.30
Discovered open port 21/tcp on 192.168.0.30
Discovered open port 3986/tcp on 192.168.0.30
Discovered open port 2000/tcp on 192.168.0.30
Discovered open port 8080/tcp on 192.168.0.30
Discovered open port 3128/tcp on 192.168.0.30
Completed SYN Stealth Scan at 19:55, 7.42s elapsed (1697 total ports)
Initiating Service scan at 19:55
Scanning 8 services on 192.168.0.30
Completed Service scan at 19:57, 113.80s elapsed (8 services on 1 host)
Host 192.168.0.30 Appears to be up ... good.
Interesting ports on 192.168.0.30:
Not shown: 1689 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp MikroTik router ftpd 2.9.27
22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99)
53/tcp open domain?
80/tcp open http MikroTik router http config
2000/tcp open callbook?
3128/tcp open http-proxy Squid webproxy 2.5.STABLE11
3986/tcp open mapper-ws_ethd?
8080/tcp open http-proxy Squid webproxy 2.5.STABLE11
2 services unrecognized despite returning data. If you know the service / version,
please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi:
============== NEXT SERVICE FINGERPRINT (SUBMIT Individually )
==============
SF-Port53-TCP: V = 4.20% I = 7% D = 4 / 4% Time = 4613A03C% P = i686-pc-windowswindows% r (D
SF: NSVersionBindReq, E, "\ x0c \ x06 \ x81 \ x84")% r (DNSStatusR
SF: equest, E, "\ x0c \ X90 \ x84");
============== NEXT SERVICE FINGERPRINT (SUBMIT Individually )
==============
SF-Port2000-TCP: V = 4.20% I = 7% D = 4 / 4% Time = 4613A037% P = i686-pc-windowswindows% r
SF: (NULL, 4, "\ x01")% r (GenericLines, 4, "\ x01")% r (GetRequest, 18, "\
SF: x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (
SF: HTTPOptions, 18, "\ x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ x
SF: b2F \ xff9 \ xb0 ")% r (RTSPRequest, 18," \ x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x
SF: 1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (RPCCheck, 18," \ x01 \ x02d \? \
SF: xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (DNSVersionBindReq,
18," \
SF: x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (
SF: DNSStatusRequest, 4, "\ x01")% r (Help, 4, "\ x01")% r (X11Probe, 4, "\
SF: x01 ")% r (FourOhFourRequest, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \
SF:] \ + \ x11 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (LPDString, 4," \ x01 ")% r (LDAP
SF: BindReq, 4, "\ x01")% r (LANDesk-RC, 18, "\ x01 \ x02 \ xb9 \ x15 & \
SF: xf1A \] \ + \ x11 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (TerminalServer, 4," \ x01 \
SF: 0 ")% r (NCP, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \] \ + \ x11 \ n \ xf6 \ x9b \ xa0,
SF: \ xb0 \ xe1 \ xa5 ")% r (NotesRPC, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \] \ + \ x1

SF: 1 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (NessusTPv10, 4," \ x01 ");
MAC Address: 00:90:4 C: 91:77:02 (Epigram)
Service Info: Host: myrouter; Device: router
Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/.
Nmap finished: 1 IP address (1 host up) scanned in 123 031 seconds
Raw packets sent: 1706 (75.062KB) | rcvd: 1722 (79.450KB)
------------------------From the results of such scanning can we take the conclusion, that the service and active
port is a FTP version of the MikroTik router ftpd 2.9.27. To SSH with OpenSSH version 2.3.0
mikrotik 2.9.27 (protocol 1.99). And the Web use the Squid proxy in Squid version webproxy
2.5.STABLE11.
Of course, the vendor has to patch against mikrotik Hole or Vulnerabilities of the above
Protocol Version.
- [10/02] - Network Administration Tool
Practically speaking, there are some tools that can be utilized in mela do network
troubleshooting, such as tools ping, traceroute, ssh, etc.. Some tools are often used later in
the day-to-day administration
are:
o
o
o
o

Telnet
SSH
Traceroute
Sniffer

a. Telnet
Remote commands are almost the same machine with the use of the existing telnet
on Linux or Windows.
[Admin @myrouter]> system telnet?
Sekilias above command to see what parameters are there. For example
remote machine with IP address 192.168.0.21 and port 23. Then
[Admin @ myrouter]> system telnet 192.168.0.21
Use of telnet should be limited to certain conditions for reasons security, as we know, a
packet of data sent via telnet has not been encrypted. To be more safe we use SSH.
b. SSH
Together with the telnet command is also needed in the remote machine, and principle same
parameters with the command on Linux and Windows.
[Admin @myrouter]> system ssh 192.168.0.21
SSH parameters above, a slight difference with telnet. If you see helpnya
has an additional parameter of the user.
-------------------------[Admin @ myrouter]> ssh system?
The SSH feature can be used with Various SSH Telnet clients to securely connect

to and administrate the router


user - User name
port - Port number
[Admin @ myrouter]>
-------------------------Suppose we are going to be remotely on a machine with the system
Linux operation, which has the account, username and password Root
123 456 in the address 66.213.7.30. Then the command,
-------------------------[Admin @ myrouter]> system 66.213.7.30 ssh user = root
[email protected] 's password:
-------------------------c. Traceroute
Knowing what or router hops through which a packet until the packet
was sent to the destination, we usually use the traceroute. With this tool
can be routed anywhere in the analysis of the course packet.
Suppose want to know the path the packet to the server yahoo, then:
-------------------------[Admin @ myrouter]> tool traceroute yahoo.com ADDRESS STATUS
1 63.219.6.nnn 00:00:00 00:00:00 00:00:00
2 222.124.4.nnn 00:00:00 00:00:00 00:00:00
3 192.168.34.41 00:00:00 00:00:00 00:00:00
4 61.94.1.253 00:00:00 00:00:00 00:00:00
5 203,208,143,173 00:00:00 00:00:00 00:00:00
6 203.208.182.5 00:00:00 00:00:00 00:00:00
7 203,208,182,114 00:00:00 00:00:00 00:00:00
8 203,208,168,118 00:00:00 00:00:00 00:00:00
9 203 208 168 134 timeout 00:00:00 00:00:00
Timeout timeout 10 00:00:00 216.115.101.34
11 216 115 101 129 0:00:00 timeout timeout
12 216.115.108.1 timeout timeout 00:00:00
13 216,109,120,249 00:00:00 00:00:00 00:00:00
14 216 109 112 135 0:00:00 timeout timeout
-------------------------d. Sniffer
We can capture and packet-packet tap running in our network, this tool has been provided
by Mikrotik useful in analyzing the traffic.
-------------------------[Admin @ myrouter]> sniffer tool
Packet sniffering
.. - Go up to tool
start - Start / reset sniffering
stop - Stop sniffering
save - Save currently sniffed packets
packet / - sniffed packets management

protocol / - Protocol management


host / - Host management
connection / - Connection management
print get - get value of property
set edit - edit the value of property
export -------------------------To begin the process of sniffing can use the Start command, while
stop it can make use of the Stop command.

You might also like