Mikrotik Router Basic Configuration

IP Address Configuration:
/ip address
add address=192.168.1.1/24 network=192.168.0.0
broadcast=192.168.1.255 interface=LOCAL
add address=103.7.248.206/29 network=103.7.248.200
broadcast=103.7.248.207 interface=WAN

DNS Configuration:
/ip dns set allow-remote-requests=yes cache-
max-ttl=1w cache-size=5000KiB max-udp-packet-
size=512 servers=4.4.4.4,8,8.8.8.8

NAT Configuration:
/ip firewall nat
add chain=srcnat action=masquerade src-
address=192.168.1.0/24 out-interface=WAN
IP Route Configuration:
/ip route
add dst-address=0.0.0.0/0 gateway=103.7.248.201

Simple Queue Configuration For Client 192.168.1.2:

/queue simple
Add name="xxx" target-addresses=192.168.1.2/32 interface=LOCAL
parent=none
packet-marks="" direction=both priority=8
queue=default-small/default-small limit-at=0/0 max-
limit=512k/512k
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
total-queue=default-small
Simple Queue Configuration For Client 192.168.1.3:
/queue simple
Add name="yyy" target-addresses=192.168.1.3/32 interface=LOCAL
parent=none
packet-marks="" direction=both priority=8
queue=default-small/default-small limit-at=0/0 max-
limit=1M/1M
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
total-queue=default-small
How to Block Youtube, Yahoo, Team View ,Port Scanner Using Mikrotik Firewall Rules
Configuration

How to Block Youtube Video Using Mikrotik Firewall Rules Configuration

/ip firewall layer7-protocols
add name=Block Youtube regexp=
/ip firewall filter
add chain=forward action=drop layer7-protocol=Block Youtube comment=Block
Youtube

How to Block Team View Using Mikrotik Firewall Rules Configuration

/ip firewall filter
add chain=forward action=add-dst-to-address-list protocol=tcp
address-list=Team View address-list-timeout=1d dst-port=5938
/ip firewall filter
add chain=forward action=drop src-address-list=Team View
/ip firewall filter
add chain=forward action=drop dst-address-list=Team View
How to Block Port Scanner Attack Using Mikrotik Firewall Rules Configuration
/ip firewall filter
add chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=Block_port_Scanner address-list-timeout=0s

How to Block Yahoo Using Mikrotik Firewall Rules Configuration

/ip firewall filter
chain=forward action=drop protocol=tcp content=yahoo
How to Detect Infected or Spammers user and temporary block using Mikrotik
router Firewall Configuration

This article showing up how to auto detects and blocks SMTP viruses or spammers
and block temporary block.

Using mikrotik firewall configuration.This configuration tale to mikrotik router

when a user send up to 50 email per 1day then mikrotik detect spammer and block
that ip address in one weeks .

[[email protected]] /ip firewall filter>

Add chain=forward action=drop protocol=tcp src-address-list=spamm-user dst-

port=25
add chain=forward action=add-src-to-address-list protocol=tcp address-
list=spamm-user address-list-timeout=1w dst-port=25 connection-limit=50,32

[[email protected]] /ip firewall filter>

How to Mikrotik Router Bogon Ip address Filtering Firewall Configuration

But if we using any routing protocol such as OSPF,RIP etc then we don't drop 224.0.0.0/3 .
See for video configuration: http://www.youtube.com/watch?v=Won9MFyxnC8

[[email protected]] /ip firewall address-list> add list=BOTNET address=0.0.0.0/8

[[email protected]] /ip firewall address-list> add list=BOTNET address=100.64.0.0/64
[[email protected]] /ip firewall address-list> add list=BOTNET address=127.0.0.0/8
[[email protected]] /ip firewall address-list> add list=BOTNET address=169.254.0.0/16
[[email protected]] /ip firewall address-list> add list=BOTNET address=172.16.0.0/12
[[email protected]] /ip firewall address-list> add list=BOTNET address=192.168.0.0/16
[[email protected]] /ip firewall address-list> add list=BOTNET address=192.0.0.0/24
[[email protected]] /ip firewall address-list> add list=BOTNET address=198.18.0.0/15
[[email protected]] /ip firewall address-list> add list=BOTNET address=192.168.51.100.0/24
[[email protected]] /ip firewall address-list> add list=BOTNET address=203.0.112.0/24
[[email protected]] /ip firewall address-list> add list=BOTNET address=224.0.0.0/3
 [[email protected]] /ip firewall address-list> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 BOTNET 0.0.0.0/8
0 BOTNET 100.64.0.0/10
0 BOTNET 127.0.0.0/8
0 BOTNET 169.254.0.0/16
0 BOTNET 172.16.0.0/12
0 BOTNET 192.0.0.0/24
0 BOTNET 192.168.0.0/16
0 BOTNET 198.18.0.0/15
0 BOTNET 198.51.100.0/24
0 BOTNET 203.0.112.0/24
10 BOTNET 224.0.0.0/3

[[email protected]] > ip firewall filter >

add chain=forward action=drop src-address-list=BOTNET comment="Drop all botnet ip address incoming"

add chain=forward action=drop src-address-list=BOTNET comment="Drop All botnet ip address outgoing"

[[email protected]] /ip firewall filter> print

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop all botnet ip address incoming
chain=forward action=drop src-address-list=BOTNET

1 ;;; Drop All botnet ip address outgoing

chain=forward action=drop dst-address-list=BOTNET
[[email protected]] /ip firewall filter>
Mikrotik port forwarding example | How to redirect http traffic

This article showing up how to forwarding http traffic into the internal web server.
Let our WEB server IP address 192.168.10.100 and using port 80.
/ip firewall nat
add chain=dstnat disabled=no dst-port=80 protocol=tcp
action=dst-nat to-addresses=192.168.10.100 to-ports=80
As a result all internal http traffic forwarding internal web servers.
We can customize that firewall rule in different type of criteria.
Mikrotik Router Policy Routing 2 WAN Fail-over Configuration
IP address Configuration:
/ip address
add address=103.7.248.206/29 network=103.7.248.200 broadcast=103.7.248.207 interface=WAN1
add address=103.31.178.62/30 network=103.31.178.60 broadcast=103.31.178.63 interface=WAN2

VLAN Configuration on Mikrotik Router:

/interface vlan
add name=VLAN-100 interface=LOCAL vlan-id=100
add name=VLAN-200 interface=LOCAL vlan-id=200
/ip address
add address=192.168.10.1/24 interface=VLAN-100
add address=172.16.10.1/24 interface=VLAN-200

DNS Configuration:
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512
servers=4.4.4.4,8,8.8.8.8

NAT Configuration:
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.10.0/24 out-interface=WAN1
add chain=srcnat action=masquerade src-address=172.16.10.0/24 out-interface=WAN2

NAT Configuration:
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.10.0/24 out-interface=WAN1
add chain=srcnat action=masquerade src-address=172.16.10.0/24 out-interface=WAN2
Mangle Configuration for 192.168.10.0/24 forward interface WAN1 and 172.16.10.0/24 forward WAN2

/ip firewall mangle

chain=prerouting action=mark-routing new-routing-mark=WAN1
passthrough=yes src-address=192.168.10.0/24

chain=prerouting action=mark-routing new-routing-mark=WAN2

passthrough=yes src-address=172.16.10.0/24

Route Configuration
/ip route
add dst-address=0.0.0.0/0 routing-mark=WAN1 chack-gateway=ping distance=1 gateway=103.7.248.201
add dst-address=0.0.0.0/0 routing-mark=WAN2 chack-gateway=ping distance=1 gateway=103.31.178.62

Fail-Over Configuration
add dst-address=0.0.0.0/0 routing-mark=WAN1 chack-gateway=ping distance=2 gateway=103.31.178.62
add dst-address=0.0.0.0/0 routing-mark=WAN2 chack-gateway=ping distance=2 gateway=103.7.248.201
Simple Queue Configuration For Client 192.168.10.2:
/queue simple
Add name="Test1" target-addresses=192.168.10.2/32 interface=VLAN-100 parent=none
packet-marks="" direction=both priority=8
queue=default-small/default-small limit-at=0/0 max-limit=1M/1M
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
total-queue=default-small

Simple Queue Configuration For Client 172.16.10.2:

/queue simple
Add name="Test2" target-addresses=172.16.10.2/32 interface=VLAN-200 parent=none
packet-marks="" direction=both priority=8
queue=default-small/default-small limit-at=0/0 max-limit=1M/1M
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
total-queue=default-small

AccessSwitch Configuration:
AccessSwitch>enable
AccessSwitch#configuration terminal
AccessSwitch(config)#interface fastethernet 0/0
AccessSwitch(config-if)#switchport mode trunk
AccessSwitch(config-if)#switchport trunk allowed vlan all
AccessSwitch(config-if)#switchport nonegotiate
AccessSwitch(config)#vlan 100
AccessSwitch(config)#vlan 200
AccessSwitch(config)#interface fastethernet 0/1
AccessSwitch(config-if)#switchport mode access
AccessSwitch(config-if)#switchport access vlan 100
AccessSwitch(config)#interface fastethernet 0/2
AccessSwitch(config-if)#switchport mode access
AccessSwitch(config-if)#switchport access vlan 200