Introduction
We are focusing on installing the Cloud Hosted Router (CHR) OS and doing a basic setup in this documentation. For any further configuration details, please take a look at the official MikroTik wiki.
Prerequisites
Make sure the cloud server meets the requirements for your desires. This setup can be performed on any available cloud server.
Step 1 - Installation
If you have not already done so, create a server of your choice. Then boot it into the rescue
system. The login credentials are shown while requesting it. To install CHR we download the Raw disk image
from the MikroTik website and extract it directly onto the virtual disk via DD.
These commands do all the necessary steps:
# curl -L https://download.mikrotik.com/routeros/6.49.10/chr-6.49.10.img.zip > mikrotik-chr.zip
# funzip mikrotik-chr.zip > mikrotik-chr.img
# dd if=/path/to/mikrotik-chr.img of=/dev/sda bs=1M
Step 2 - Security
Afterwards you can reboot the server into the newly installed OS.
Keep in mind, that the default login credentials are user : admin
and password : none
. Therefore it is recommended to immediately disable the admin user and add a new one. To do so, login to your server via ssh or the Hetzner Console and do the following commands:
# /user add name=<username> password=<userpassword> group=full
# /user remove admin
If desired you can add an IP address to a user, limiting access to that user account from the IP entered.
# /user set <username> allowed-address=<IPv4>/<Netmask>
Now we want to disable all unnecessary services. Current running services can be shown via # /ip service print
. In this case we will disable all except ssh
:
# /ip service disable telnet,ftp,www,api,api-ssl,winbox
We recommend to change the default ssh port 22
with any other desired port.
# /ip service set ssh port=33458
The following commands disable unwanted management access to network devices, which we recommend.
# /tool mac-server set allowed-interface-list=none
# /tool mac-server mac-winbox set allowed-interface-list=none
# /tool mac-server ping set enabled=no
# /tool bandwidth-server set enabled=no
# /ip neighbor discovery-settings set discover-interface-list=none
# /ip dns set allow-remote-requests=no
# /ip proxy set enabled=no
# /ip socks set enabled=no
# /ip upnp set enabled=no
# /ip cloud set ddns-enabled=no update-time=no
# /ip ssh set strong-crypto=yes
Step 3 - Basic Firewall
Right from the start the CHR has a basic firewall setup and we strongly recommend to not turn it off, if you are not 100% sure what to do. The following rules adjust it to make it more secure:
# /ip firewall filter
# add action=accept chain=input connection-state=established,related # accept established/related connections
# add action=accept chain=input src-address-list=<list-name> # IPs in <list-name> are allowed to access
# add action=accept chain=input protocol=icmp # allows ICMP
# add action=drop chain=input # Other connections getting dropped
# /ip firewall address-list
# add address=10.0.0.1-10.0.0.254 list=<list-name> # adds addresses to <list-name>
We will now create some basic adjustments to the firewall rules for the clients.
First add the desired private networks to a list:
# /ip firewall address-list
# add address=10.0.0.0/24 list=private_networks
# add address=10.0.1.0/24 list=private_networks
...
Now we want to secure those networks.
First, only new connections will be allowed by the firewall. Next we will also set a rule to drop any invalid connection. Those are logged with the tag invalid
.
The same is done for private IPs, which try to reach a public IP. To make sure that non-public addresses from outside cannot reach your server, we drop those packages, as well as packages from the LAN with non-private IPs.
# /ip firewall filter
# add action=accept chain=forward connection-state=established,related
# add action=drop chain=forward connection-state=invalid log=yes log-prefix=invalid
# add action=drop chain=forward dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
# add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
# add action=drop chain=forward in-interface=ether1 log=yes log-prefix=!public src-address-list=private_networks
# add action=drop chain=forward in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!<privateIP-network>
Conclusion
After you have followed all steps correctly, you should have a stable basic setup of the MikroTik Cloud Hosted Router OS.
Further instructions can be found on the MikroTik wiki.