How To: MikroTik Router With NAT And VPN Access (CLI)
This technical guide will show you how to setup a Mictrotik router with 1:1 NAT translation and secure VPN access, over the command line.
1. Performing Initial Setup
Inital setup must be done over the command line interface (CLI)
Login on the system by the default admin and password.
The first thing to do is identify the network interfaces by running the following command:
[admin@Mikrotik] > interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 R ether2 1500 00:00:00:00:00:00 enabled 1 R ether1 1500 00:25:90:60:4C:A8 enabled
Now we can associate what network card will be LAN and WAN
To avoid confusion, you can rename the interfaces to something more appropriate. In this case ether2 will be LAN and ether1 will be WAN.
The following command will rename the interfaces.
[admin@Mikrotik] > interface set 0 name=LAN [admin@Mikrotik] > interface set 1 name=WAN
The numeric Value 0 represent the # on the list
Run the following command to confirm the change is completed.
[admin@Mikrotik] > interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 R LAN 1500 00:00:00:00:00:00 enabled 1 R WAN 1500 00:25:90:60:4C:A8 enabled
2. Change Admin Password
Performing this step is recommended because if the admin password default is blank you can easily be
a target of a brute force attack if you are managing the administration from outside the network.
To perform this change do this:
[admin@Mikrotik] > user set 0 password=MY-NEW-PASSWORD
3. Add default VPN Pool range
Use the following to set the IP address range for your VPN pool:
/ip pool add name=VPN-Address-Pool ranges=192.168.2.2-192.168.2.254
4. Set the default VPN Profile to use the DNS and Local-Address for VPN
The following commands will set the default VPN profile to use google’s DNS and the local address for the VPN (in this case we have used 1.1.1.1).
/ppp profile set *0 dns-server=8.8.8.8 local-address=1.1.1.1 remote-address=\ VPN-Address-Pool
5. Enable L2TP Server with IPSec
Now enable the L2TP VPN server with IPSec by issuing the following commands:
/interface l2tp-server server set default-profile=default enabled=yes ipsec-secret=8793679Ghhjg8ghgjf \ use-ipsec=yes
6. Adding additional IP addresses
Additional IP addresses can now be added to the relevant interfaces (the WAN interface would be assigned to your public IP address, and the LAN interface to your private IP):
/ip address add address=1.1.1.1/23 comment="Management / Masquerhade" interface=\ WAN network=2.2.2.2 add address=3.3.3.3/23 comment="Extra IP" interface=WAN network=\ 4.4.4.4 add address=5.5.5.5/24 comment=Mikrotik-ip interface=LAN network=\ 6.6.6.6
7. Configure Firewall Rules
At this stage we need to configure the filtering rules for the firewall. This will allow access to the network with the VPN for the relevant protocols and configure 1:1 NAT:
/ip firewall filter add action=accept chain=forward comment="Allow HTTP/HTTPS" dst-address=\ 1.1.1.1 dst-port=80,443 in-interface=WAN protocol=tcp add action=accept chain=forward comment="Allow SSH" dst-address=1.1.1.1 \ dst-port=22 in-interface=WAN protocol=tcp add action=accept chain=forward comment="Allow ICMP/PING" dst-address=\ 1.1.1.1 in-interface=WAN protocol=icmp add action=drop chain=forward comment="Block All" dst-address=1.1.1.1 \ in-interface=WAN /ip firewall nat add action=src-nat chain=srcnat comment="1:1 NAT Outgoing Traffic" \ out-interface=WAN src-address=1.1.1.1 to-addresses=2.2.2.2 add action=dst-nat chain=dstnat comment="1:1 NAT Incoming Traffic" \ dst-address=2.2.2.2 to-addresses=1.1.1.1 add action=masquerade chain=srcnat comment="Send all traffic to internet" \ out-interface=WAN src-address=1.1.1.0/16 to-addresses=2.2.2.2
8. Add Default Gateway
The following command will set the default gateway IP address:
/ip route add comment="Default GW" distance=1 gateway=1.1.1.1
9. Configure router local services
We now need to configure the router services, in this case we will disable telnet and ftp and enable SSH on port 750:
/ip service set telnet disabled=yes set ftp disabled=yes set ssh port=750 set api disabled=yes
10. Set L2TP Username, Password and IP Address
Now that we have our server successfully configured, we can create a test user for the VPN server. The following commands will add the user “testuser” with the password “password”, and specify their IP address as 5.5.5.5:
/ppp secret add name=testuser password=password remote-address=5.5.5.5 service=\ l2tp
Congratulations! You can now access with the username and password set in step 10.
