Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

How to install MikroTik CHR on Hetzner Cloud

profile picture
Author
Robert Bär
Published
2021-03-16
Time to read
5 minutes reading time

About the author- Developer

Table of Contents

Introduction

We are focusing on installing the Cloud Hosted Router (CHR) OS and doing a basic setup in this documentation. For any further configuration details, please take a look at the official MikroTik wiki.

Prerequisites

Make sure the cloud server meets the requirements for your desires. This setup can be performed on any available cloud server.

Step 1 - Installation

If you have not already done so, create a server of your choice. Then boot it into the rescue system. The login credentials are shown while requesting it. To install CHR we download the Raw disk image from the MikroTik website and extract it directly onto the virtual disk via DD.

These commands do all the necessary steps:

# curl -L https://download.mikrotik.com/routeros/6.49.10/chr-6.49.10.img.zip > mikrotik-chr.zip
# funzip mikrotik-chr.zip > mikrotik-chr.img
# dd if=/path/to/mikrotik-chr.img of=/dev/sda bs=1M

Step 2 - Security

Afterwards you can reboot the server into the newly installed OS.

Keep in mind, that the default login credentials are user : admin and password : none. Therefore it is recommended to immediately disable the admin user and add a new one. To do so, login to your server via ssh or the Hetzner Console and do the following commands:

# /user add name=<username> password=<userpassword> group=full
# /user remove admin

If desired you can add an IP address to a user, limiting access to that user account from the IP entered.

# /user set <username> allowed-address=<IPv4>/<Netmask>

Now we want to disable all unnecessary services. Current running services can be shown via # /ip service print. In this case we will disable all except ssh:

# /ip service disable telnet,ftp,www,api,api-ssl,winbox

We recommend to change the default ssh port 22 with any other desired port.

# /ip service set ssh port=33458

The following commands disable unwanted management access to network devices, which we recommend.

# /tool mac-server set allowed-interface-list=none
# /tool mac-server mac-winbox set allowed-interface-list=none
# /tool mac-server ping set enabled=no
# /tool bandwidth-server set enabled=no
# /ip neighbor discovery-settings set discover-interface-list=none 
# /ip dns set allow-remote-requests=no
# /ip proxy set enabled=no
# /ip socks set enabled=no
# /ip upnp set enabled=no
# /ip cloud set ddns-enabled=no update-time=no
# /ip ssh set strong-crypto=yes

Step 3 - Basic Firewall

Right from the start the CHR has a basic firewall setup and we strongly recommend to not turn it off, if you are not 100% sure what to do. The following rules adjust it to make it more secure:

# /ip firewall filter
# add action=accept chain=input connection-state=established,related  # accept established/related connections 
# add action=accept chain=input src-address-list=<list-name>          # IPs in <list-name> are allowed to access 
# add action=accept chain=input protocol=icmp                         # allows ICMP
# add action=drop chain=input                                         # Other connections getting dropped
# /ip firewall address-list
# add address=10.0.0.1-10.0.0.254 list=<list-name>                    # adds addresses to <list-name>

We will now create some basic adjustments to the firewall rules for the clients.

First add the desired private networks to a list:

# /ip firewall address-list
# add address=10.0.0.0/24 list=private_networks
# add address=10.0.1.0/24 list=private_networks
...

Now we want to secure those networks.

First, only new connections will be allowed by the firewall. Next we will also set a rule to drop any invalid connection. Those are logged with the tag invalid.

The same is done for private IPs, which try to reach a public IP. To make sure that non-public addresses from outside cannot reach your server, we drop those packages, as well as packages from the LAN with non-private IPs.

# /ip firewall filter
# add action=accept chain=forward connection-state=established,related
# add action=drop chain=forward connection-state=invalid log=yes log-prefix=invalid
# add action=drop chain=forward dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
# add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
# add action=drop chain=forward in-interface=ether1 log=yes log-prefix=!public src-address-list=private_networks
# add action=drop chain=forward in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!<privateIP-network>

Conclusion

After you have followed all steps correctly, you should have a stable basic setup of the MikroTik Cloud Hosted Router OS.

Further instructions can be found on the MikroTik wiki.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue
Try Hetzner Cloud

Get 20€ free credit!

Valid until: 31 December 2024 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue