Eventually, the pick ended up Mikrotik. And will be posting several notes on my adventure with Mikrotik Virtual Router. For all intents and purposes, this post pertains to VMware setup on x86 architecture. For now let us cover the initial setup.
After downloading the ISO from the Mikrotik website (obtain a license as well), prepare the virtual machine. On mine, I set it up with 2 vCPUs, 512MB of memory and 1GB of disk space. Remove other hardware from the initial configuration (e.g. Floppy Drive, USB ports, etc) that a network router will not have. The setup is pretty straight forward, so let's skip that part and assume it went well.
While on the Mikrotik website, download their utility application called "winbox". This will come in very handy to configure the router.
Other tutorials suggest to rename the network interfaces to WAN and LAN; others, ether1-gateway and ether2-local. On mine, I left them as is. So you don't get confused on my setup, ether1 is facing the ISP (my primary WAN link), ether2 is facing the backup WAN, and ether3 is facing my local area network. Please note that all my network interfaces use the vmxnet3 virtual network cards. You may add as many NICs as you need, but for me this is enough for my requirement.
Your ISP will probably give you both a /30 and /29 IP block. You will need that information. I cannot provide the particulars of my address blocks so for all intents and purposes, let us assume that to be 1.1.1.1/30. To make things easier to interpret, you may plug that information in an IP calculator to obtain more details that need to be added to the router configuration.
Assign that /30 IP address on the Mikrotik router. This is could be done a couple of ways.. First the winbox (GUI) way, IP » Addresses and put the IP address information and set it on interface ether1. Via CLI (terminal on winbox, or telnet, or SSH), /ip address add address=1.1.1.2/30 network=1.1.1.0 comment=WAN-PRI interface=ether1. The router will be reachable at its default address of 192.168.88.1/24 (username is "admin" without a password). Note that 1.1.1.2/30 (address) and 1.1.1.0 (network) were taken from the IP calculator, as seen above.
Next, secure and protect the router from external access by putting a password, turning off unnecessary services and putting firewall rules.
For my setup, I provided a password for admin then limited its access to the console. I created another password-protected username with full admin access but unlike admin its limits allow access from the LAN.
/user set admin password=PASSWORD address=127.0.0.1/32
/user add name=pimp-my-rig password=PASSWORD group=full address=192.168.0.0/16
After setting the admin password, you may choose to disable it. And use another administrative account in its place. Simply append the string "disabled=yes" to the line containing admin. This makes it harder for external hacks to your router especially since it is the router facing your ISP.
Unwanted Services. Access to the router is open by default. It needs lockdown to be secure. I also disabled services that I no longer need. You will see those below with the "disabled=yes" string appended.
/ip service
set telnet address=192.168.0.0/16 disabled=yes
set ftp address=192.168.0.0/16 disabled=yes
set www address=192.168.0.0/16 disabled=yes
set ssh address=192.168.0.0/16
set www-ssl address=192.168.0.0/16 disabled=yes
set api address=192.168.0.0/16 disabled=yes
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16 disabled=yes
Execute a "print" to check the current configuration. You should see something similar.
Firewall. Extend the protection to the built-in firewall. The rules I used are below.
/ip firewall filter
add chain=input action=tarpit protocol=tcp in-interface=!ether3 \
comment="TARPIT connections not coming from LAN (ETH3)"
add chain=input action=drop in-interface=!ether3 \
comment="DROP other traffic not comming from LAN (ETH3)"
Execute a "print" to check the current configuration. You should see something similar.
Rules are interpreted from top to bottom and the lesser rules there are the faster the router performs. Not to mention lesser resources are consumed. This should be pretty much lockdown the router while it allows configurations and customizations from the console or terminal sessions from the LAN interface. I will post configuration on the LAN side and services like DNS, DHCP, web-proxy and NTP in succeeding articles.
You may also opt to drop external traffic rather than tarpit. For more information regarding the action tarpit, refer to this excellent explanation from Wikipedia.
RELATED: Install Adblock on Raspberry Pi via Pi-Hole
I am a CLI guy so I did my configuration mostly on the command line. Hope this helps you in getting your router up and running.