Disable ssh and telnet on mikrotik

SSH and Telnet service are active by default on mikrotik router, so we can configure mikrotik router remotely from ssh and telnet client. But on some condition network administrator need to disable this service, because maybe worry about hacker to collect or owned this router. On the next article i'll share how to configuration ssh service to be remote securely using port knocking.

Now, here is step by step how to disable ssh and telnet service on mikrotik router :

• Connect to your mikrotik router
• Click IP > Services 
• Next click ssh and telnet, then click on sign (X) to disable service 
  
• Ok, its so simple...

How to record ip address client on mikrotik

Mikrotik router supports a feature to record log ip address behind mikrotik, so if we want to monitoring where is ip address or client are active we can use this feature. Usually many network administrator need to monitoring them to make sure there is no unwanted ip address or client use this resource (network resource).

This is how to configuring record ip address client on mikrotik

• Connect to your mikrotik router using winbox
• Click on IP > Firewall
• On the tab Firewall click sign plus (+) 
  
• Select chain : forward (because we just need to record ip address through to the mikrotik router) In. Interface : ether1 (select your interface for LAN, on this example is ether1) Connection State : new (just for record ip address who create new connection) 
  
  
  
• Next, click on the tab Action, select Action : add src to address list, Address List : ip address lokal (you can change the name for Address List to anything), Timeout : 00:10:00 (set timeout according to the needs, i set to ten minutes record, after ten minutes log will be remove, but if ip address still active, will be record again) 
  
• Last step, clik OK, rule will be show in the table 
  
• Now, if there is an ip address client are online/active, we will see that ip address from tab Address List 
  

We can custom or make this rule for work with another filter what we want, like just ip address on address list name ip address lokal only can access Facebook, Twitter, or anything.

Ok, see to the next article later...

How to setting DHCP server on mikrotik

Source : http://www.windowsdevcenter.com/pub/a/windows/2007/06/12/implementing-and-understanding-dhcp.html

Mikrotik router is supported for DHCP Server, we can configuring DHCP server for many network address depending how many interface on your mikrotik router.

So, here is how to configuring dhcp server on mikrotik :

• Connect to your mikrotik router using winbox, like usually :)
• After that, click on IP > DHCP Server
• Next, click on DHCP Setup 
  
• Select interface where we will create dhcp server available (example : ether1, i assume ether1 is gateway for LAN on your Office or Home Network)
  
• Next create Address Space or usually called Subnet Mask, default is /24 
  
• Next give gateway for LAN, default mikrotik router ip address 
  
• Then, create range of address to give out, (example : 10.16.34.200-10.16.34.254) 
  
• Next, give the dns address for LAN (example : i use google dns : 8.8.8.8 and 8.8.4.4) 
  
• And the last step is setup Lease Time for LAN, default is 3d 00:00:00, but on this tutorial i make 00:02:00 or equal to two hours 
  
• To finish configuration, click Next 
  
  
  
  
  
  

Now, to test DHCP Server running or not, we can trying from the Client inside LAN, remove static ip address from LAN. 

You can see the picture above, DHCP Server are work perfectly. :)

Thank you for read

how to block ping on mikrotik

In this posting, i'll share how to blocking ping or icmp packet on mikrotik router. On default, icmp protocol has been opened, because this protocol is used to check is host up or down.

But on certain condition, icmp protocol must be closed to avoid from scanner tool. So we have to close this protocol. On mikrotik we can do this by simple configuration.

Before we configuration, ping to ip address 10.16.34.1 are reply.

Here's how to step by step block icmp packet on mikrotik :

• First, connect to your mikrotik router using winbox
• Then, click IP > Firewall 
  
• On the tab Filter Rules, click plus sign (+) 
  
• Select chain : forward (note : if you want to block ping to mikrotik router, you must select chain : input) and fill in the Dst. Address to ip address target 
  
• Next, on the tab Action, select Action : drop 
  
• Click OK button, and now you can test your rule from Client

After we create rule, now ping to ip address 10.16.34.1 are timeout

You can also create this rule from terminal, if you are familiar using terminal. Open your terminal from winbox or if you are remote using ssh or telnet, just type this command.

 /ip firewall filter add chain=forward dst-address=10.16.34.1 action=drop  

Note :
Chain : change to your chain rule, forward if you are going to block the ip address outside mikrotik router, and input if you are going to block ip address mikrotik router.
Dst-address : change to the target ip address you want to block.

Ok, that's so simple setting, hope its useful.

Port forwarding on mikrotik

Source : http://portforward.com/help/portforwarding.htm

What is Port Forwarding? 
Also called "port mapping," port forwarding is directing traffic from the outside world to the appropriate server inside a local TCP/IP network. Internet services are identified by a standard port number; for example, Web traffic uses port number 80. (source : www.pcmag.com)

Mikrotik router can do port forwarding with just a few steps, but the conditions ip public must be on mikrotik router, although not an absolute requirement. We can also do port forwarding on modem adsl when mikrotik router behind. it will be a complicated configuration.

So, I suggest you to setting ip public in mikrotik router first. On next article i'll explain how to do this.

Here is step by step how to configuration port forwarding on mikrotik router :

• As usual, first connect to your mikrotik router, you can do with winbox or remote shell (like : ssh, telnet)
• Afterthat, open firewall by clicking IP > Firewall from the left menu
• Then, click plus sign (+) like in the picture below to create rule port forwarad 
  
• The next step, select chain : dstnat, fill in the Dst. Address to your ip public mikrotik router, select Protocol : 6 (tcp), and Dst. Port : 80 (you can change to port what you want) 
  
• Last, on the tab Action, select Action : dstnat, then fill to the ip address and port to your local computer, To Addresses : 192.168.1.1, To Ports : 80 
  
• Click OK to save your configuration

We can create this rule from command line, just by typing this on terminal :

 /ip firewall nat add chain=dstnat dst-address=64.x.x.x protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.1 to-ports=80  

To view rule, typing this on terminal :

 /ip firewall nat print  
 Flags: X - disabled, I - invalid, D - dynamic  
  0  chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=80 protocol=tcp dst-address=64.x.x.x  
    dst-port=80 log=no log-prefix=""  

Now, you can test from outside Network to make sure this configuration success.

Ok, hopefully this will help.

Mikrotik nat configuration

In this tutorial, i'll share how to configuration nat on mikrotik. This configuration serves to connect client to the external network (different networks).

Step by step how to :

• First connect your mikrotik router using winbox
• After that, open tab on the firewall 
  
• Next, click on the tab NAT  and click on the plus (+) sign
  
• On the general tab, select chain : srcnat, fill on the Scr. Address to your range of network, example : 10.16.34.0/24 
  
• Next, on the action tab, select action : masquarade 
  
• Click OK to complete your configuration 
  

Now, configuration nat has been completed. You can test from your client to test ping or try to browsing to the Internet.

Ok, thus the above tutorial hopefully can help you.