HOW-TO: LAN Configuration of a Mikrotik Virtual Router

In the previous article, we discussed about the configuration of the Mikrotik router, with particular focus on connectivity and protection from unauthorized access. This time, we could start with specific services that it will provide to the local area network (LAN).

Configuring on the LAN side, requires that we prevent locking ourselves out of the router while executing changes. What does this mean? Any change that will potentially disconnect us from the router will be blocked. The router is smart enough to figure this out. In the Mikrotik linggo, the term used to refer to this is "safe mode". The name itself is very intuitive!

To enable safe mode, simultaneously press [CTRL]+[X] on the keyboard. The same set of hotkeys used for "cut" to those familiar with the Windows world. Upon enabling safe mode, the terminal prompt changes with the string ‹SAFE› appended to it. You will see that in the screenshot below.

To release safe mode, the same set of keys are used. Similarly, the prompt returns to normal and it shows that safe mode is no longer in effect.

Without further ado, let us configure the router to be able to perform DNS lookups for our network. This configuration forwards queries to Google's public DNS servers (8.8.8.8 and 8.8.4.4) at the same time caches the queries in the router's memory. Change the DNS servers to your own if Google's DNS servers are not desired.

/ip dns
set allow-remote-requests=yes cache-size=4098KiB servers=8.8.4.4,8.8.8.8

Next, let us prepare the network segments used on the LAN side by defining an IP pool. This will be used for DHCP services later. Let us assume a segment from 192.168.1.0/24.

/ip pool
add name=POOL1 ranges=192.168.1.11-192.168.1.239

Once the pool is defined, let's use that pool for DHCP services. This is done in two-parts. First, define the network segment.

/ip dhcp-server network
add address=192.168.1.0/24 comment=LOCAL_LAN dns-server=192.168.1.1 \
 domain=pimp-my-rig.local gateway=192.168.1.1 \
 ntp-server=NTP_SVR_IP_HERE wins-server=WINS_SVR_IP_HERE

Second, define the DHCP directive.

/ip dhcp-server
add add-arp=yes address-pool=POOL1 authoritative=yes disabled=no \
 interface=ether3 lease-time=1d name=DHCP1

This configuration will not be complete without assigning the LAN gateway IP address to an existing interface on the router. In this case, it is ether3.

/ip address
add address=192.168.1.1/24 comment=LOCAL_LAN interface=ether3 network=192.168.1.0

At this point, the router is able to provide communication between the devices in the local area network. It will be able to support devices that require dynamic host configuration protocol (or DHCP) for automatic configuration of IP addresses. Internet connectivity could not be established since the RFC1918 addresses (to which the 192.168.0.0/16 network belongs) are non-routable on the internet. What needs to happen is network address translation (or NAT). And the Mikrotik router is just as able to perform this task. We will discuss that in the next article.

 RELATED: Initial Configuration of a Mikrotik Virtual Router

For now the router is able to provide network connectivity to hosts within the LAN. It could provide DHCP addresses and cache DNS queries. Please note that all capitalized configuration keywords (e.g. POOL1, DHCP1 and LOCAL_LAN) can be replaced with your own naming convention(s).

Read More

ERROR: s3cmd ([Errno 104] Connection reset by peer) Workaround

I use AWS S3 to backup files automatically on my Raspberry PI (let's call it RPI, from here). My RPI does some automation for me on my home network. It has been very sucessful at doing syncs and automated downloads as well backups. The usual target for backups is my NAS but I need to backup the scripts and configuration files as well. When the micro-SD card on the RPI failed, I was grateful that the efforts I initially put in paid off.

If you recall, one of the automated systems I have on my home network is a PVR named sickgear. I was covered on the configuration of its files but I missed its database. Too late for that now, but not entirely too late to solve it.

To remediate, I used a script that called s3cmd (from s3cmd package) on the RPI. The script is a bit simple to implement and the logic is to "touch" an empty file everyime I run the backup job. If the database file is newer than the empty file, then execute the backup.

When I tested the script, I was in for a surprise. The s3cmd implementation on RPI was not working and the error is a mix between:

WARNING: Upload failed: /sickbeard.db ([Errno 104] Connection reset by peer)
WARNING: Retrying on lower speed (throttle=0.0x)
WARNING: Waiting..
 --- OR ---
WARNING: Upload failed: /sickbeard.db ([Errno 32] Broken pipe)
WARNING: Retrying on lower speed (throttle=0.0x)
WARNING: Waiting..

The error is quite long and eventually fails. It seems to work for small files, but fails as the uploaded files increase in size. The workaround suggested on several forums is to ditch s3cmd and replace it with AWSCLI. Several folks have confirmed that it worked. But I'm not quite inclined to develop several scripts for the workaround. So I continued my experimentation still using s3cmd.

The workaround I discovered was a very simple one. I just replaced the "put" with "sync". For more information on the differences between the two, it is is explained in the s3tools webpage. That is just what I needed.

As you can see from the above screenshot, the same file uploaded to AWS S3 bucket takes a few seconds to completely upload. No more errors.

 RELATED: Install Adblock on Raspberry Pi via Pi-Hole

I hope this workaround helps you as well.

Read More

HOW-TO: Initial Configuration of a Mikrotik Virtual Router

This year, I shifted technology specialization away from the infrastructure profession to data science, with more particular focus on data cleansing, mining, and archiving and warehousing. And necessities sometimes require application of my infrastructure background and experience. This is what I like about my new assignment -- never a boring day. Had the chance to work on selection of virtual routers, to which I ended up shortlisting two of them, namely, VyOS and Mikrotik.

Eventually, the pick ended up Mikrotik. And will be posting several notes on my adventure with Mikrotik Virtual Router. For all intents and purposes, this post pertains to VMware setup on x86 architecture. For now let us cover the initial setup.

After downloading the ISO from the Mikrotik website (obtain a license as well), prepare the virtual machine. On mine, I set it up with 2 vCPUs, 512MB of memory and 1GB of disk space. Remove other hardware from the initial configuration (e.g. Floppy Drive, USB ports, etc) that a network router will not have. The setup is pretty straight forward, so let's skip that part and assume it went well.

While on the Mikrotik website, download their utility application called "winbox". This will come in very handy to configure the router.

Other tutorials suggest to rename the network interfaces to WAN and LAN; others, ether1-gateway and ether2-local. On mine, I left them as is. So you don't get confused on my setup, ether1 is facing the ISP (my primary WAN link), ether2 is facing the backup WAN, and ether3 is facing my local area network. Please note that all my network interfaces use the vmxnet3 virtual network cards. You may add as many NICs as you need, but for me this is enough for my requirement.

Your ISP will probably give you both a /30 and /29 IP block. You will need that information. I cannot provide the particulars of my address blocks so for all intents and purposes, let us assume that to be 1.1.1.1/30. To make things easier to interpret, you may plug that information in an IP calculator to obtain more details that need to be added to the router configuration.

Assign that /30 IP address on the Mikrotik router. This is could be done a couple of ways.. First the winbox (GUI) way, IP » Addresses and put the IP address information and set it on interface ether1. Via CLI (terminal on winbox, or telnet, or SSH), /ip address add address=1.1.1.2/30 network=1.1.1.0 comment=WAN-PRI interface=ether1. The router will be reachable at its default address of 192.168.88.1/24 (username is "admin" without a password). Note that 1.1.1.2/30 (address) and 1.1.1.0 (network) were taken from the IP calculator, as seen above.

Next, secure and protect the router from external access by putting a password, turning off unnecessary services and putting firewall rules.

For my setup, I provided a password for admin then limited its access to the console. I created another password-protected username with full admin access but unlike admin its limits allow access from the LAN.

/user set admin password=PASSWORD address=127.0.0.1/32
/user add name=pimp-my-rig password=PASSWORD group=full address=192.168.0.0/16

After setting the admin password, you may choose to disable it. And use another administrative account in its place. Simply append the string "disabled=yes" to the line containing admin. This makes it harder for external hacks to your router especially since it is the router facing your ISP.

Unwanted Services. Access to the router is open by default. It needs lockdown to be secure. I also disabled services that I no longer need. You will see those below with the "disabled=yes" string appended.

/ip service
set telnet address=192.168.0.0/16 disabled=yes
set ftp address=192.168.0.0/16 disabled=yes
set www address=192.168.0.0/16 disabled=yes
set ssh address=192.168.0.0/16
set www-ssl address=192.168.0.0/16 disabled=yes
set api address=192.168.0.0/16 disabled=yes
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16 disabled=yes

Execute a "print" to check the current configuration. You should see something similar.

Firewall. Extend the protection to the built-in firewall. The rules I used are below.

/ip firewall filter
add chain=input action=tarpit protocol=tcp in-interface=!ether3 \
 comment="TARPIT connections not coming from LAN (ETH3)"
add chain=input action=drop in-interface=!ether3 \
 comment="DROP other traffic not comming from LAN (ETH3)"

Execute a "print" to check the current configuration. You should see something similar.

Rules are interpreted from top to bottom and the lesser rules there are the faster the router performs. Not to mention lesser resources are consumed. This should be pretty much lockdown the router while it allows configurations and customizations from the console or terminal sessions from the LAN interface. I will post configuration on the LAN side and services like DNS, DHCP, web-proxy and NTP in succeeding articles.

You may also opt to drop external traffic rather than tarpit. For more information regarding the action tarpit, refer to this excellent explanation from Wikipedia.

 RELATED: Install Adblock on Raspberry Pi via Pi-Hole

I am a CLI guy so I did my configuration mostly on the command line. Hope this helps you in getting your router up and running.

Read More

HOW-TO: Protect Yourself Against Malicious Autorun.INF Code

Laziness has its price.. One brain-child of what I consider laziness is autorun.inf. I call it a vulnerability rather than a feature. This is just my two-cents. The rationale behind this line of reasoning is that, viruses and malicious software take advantage of this so-called feature to install and infect your machine before you are aware it hit you. The actual payload installed varies from viruses to trojans, and likewise the damage it could inflict varies.

The most common mode by which malicious code propagates is by USB flash drives (others call them thumb drives or external storage device). They all mean the same thing. Before viruses, trojans and other malicious software lurking in these devices hit you, do something about it. Protect yourself! Autorun.INF is an inherent security hole that needs to be plugged. And the way circumvent this vulnerability is a simple task to do.

Just so you get an idea what AUTORUN.INF functionality is, whenever you plug an external storage and an application Window automatically opens that is AUTORUN.INF at work. Below is an example of what it looks like. Only that in cases of malicious code, this application Window might or might not be visible.

The solution to this problem is a registry hack. So before you proceed, ensure you have a backup of your machine. This hack works for me and am confident it works but I will not be held liable for consequences that may arise when you execute this procedure on your machine.

As "Administrator", open the registry editor and go to this key: HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion > IniFileMapping > Autorun.INF. The "Autorun.INF" key does not exist by default, so you have to create it. Change the "(Default)" value to @SYS:XXXXXXX.

This simply means instead of looking for Autorun.INF (case-insensitive) on plugged external storage devices, it will look for the string you substituted on after the colon. Now, that is quite difficult to guess than "Autorun.INF".

 RELATED: Automatically Disable WIFI on LAN Connectivity

Making your computer a less vulnerable to malicious code will give you confidence in plugging an external storage device from a colleague for whatever purposes you deem necessary.

Read More

ERROR: A Required Device Driver is Missing on Windows 7 Install

I could say I'm too familiar with computers to confidently install just about any modern Windows or Linux operating system from USB or boot from USB for that matter.. However, a recent experience with a Windows 7 install, made me hit a brick wall and the experience was one that made it a little more memorable.

I do installs from USB this since not all modern servers and notebooks have internal optical drives. And bringing an optical drive as standard toolkit is too much hassle. Creating your very own USB Windows 7 installer has been posted in this blog before. And in this case, I have used the same installer in the past few years without hitch. It is only now that I have encountered an error trying to install on a friend's notebook.

To give you a better idea of what the error screen looks like, I took a snapshot of the screen with my phone. It is shown below:

A required CD/DVD device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.

The weird thing is that no matter what I do after this error, it will not allow me to proceed with the install (the "Next" button is greyed out). So I did the best solution for Windows -- REBOOT! Nada, same result. Out of sheer curiosity, I moved the installer to another USB port. This time the installation proceeded without the same error. And this really puzzled me. So post-installation, I did my research.

The error message is misleading and it will throw you off in the wrong direction. As it turns out, on the initial installation attempts wherein I failed, the installer was plugged to a USB 3.0 port.. to which the Windows 7 installer had no native drivers. This is the reason for the installation module asking for a driver that it did not have.

To successfully proceed with the install, the USB flash drive containing the installer needs to be plugged into a "legacy" USB 2.0 port that Windows 7 has native drivers for. If ever you encounter a similar problem, simply seek information from the hardware manual and locate the legacy USB ports and install from there.

RELATED: Build an Ultimate Boot USB

The solution was as simple as that.. But it is just as easy to miss it. Too much familiarity with the task often has its price.

Read More