Category: Mikrotik configuration

Allow everything on WLAN1 that has a signal above -87dBm (eg, signal between -86 and+120 dBm) , and allow even that signal to drop below -87 dBm for 30 sec.

The allow is authenticate (associate) and forwarding (connect to other clients).
The allow-signal-out-of-range is needed because devices are in their hands, so the signal fluctuates, but I prefer not to drop them immediately.

To stop the weak signal connections on WLAN1 the next line is needed. For everything with signal between -87 and -120 dBm there is no authentication allowed.

The allow-signal-out-of range is short here (1 sec) because this is used for roaming clients that are sticky to their first AP, but they may come back very soon to this AP, and I prefer not to deny them longer than needed.

/interface wireless access-list
add allow-signal-out-of-range=30s interface=wlan1 signal-range= -86..120 
add allow-signal-out-of-range=1s authentication=no forwarding=no interface=wlan1 signal-range=-120..-87

Default Cambium EMP 1000 IP: 169.254.1.1

Default user name: admin and password: admin

1. Open SSH terminal and connect to 169.254.1.1

2. Enable DHCP with command (1 – Static, 2 – DHCP):

config set networkLanIPAddressMode 2

Configure network IP, Mask and Gateway parameters:

config set networkLanIPAddr 10.20.124.10
config set networkLanNetmask 255.255.255.0
config set networkLanGatewayIP 10.20.124.1

3. Save configuration with command:

config save
config apply

4. Reboot devise for changes to take effect.

reboot 

Now you can open Web-browser and go to http://IP configuration page.

To delete OUN from OLT on EPON 2 interface go to config and use interface EPON0/2:

enable
config
interface EPON0/2

To delete ONU use command (note, that adter delete ONU will register on OLT again):

no epon bind-onu mac e067.b37d.d3d3

To add ONU to Black List use command:

epon onu-blacklist mac e067.b37d.d3d3

To remove ONU from Black List use command:

no epon onu-blacklist mac e067.b37d.d3d3

Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.47.10.
Simple Mikrotik Firewall configuration:

In Mikrotik terminal go to Firewall Filter:

/ip firewall filter

For increase the speed of router fist rule should be:

add chain=forward action=fasttrack-connection connection-state=established,related

Allow Established and Related connections for forward and input chains:

add chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
add chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""

Drop invalid connections for forward and input chains only from WAN interfaces:

add chain=forward action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix=""
add chain=input action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix=""

Allow ICMP ping from WAN only width 128 bits packets:

add chain=input action=accept protocol=icmp in-interface-list=WAN packet-size=0-128 log=no log-prefix=""

Allow remote control by Winbox or SSH only from IP addresses from AccessList:

add chain=input action=accept protocol=tcp src-address-list=AccessList in-interface-list=WAN dst-port=8291,22 log=no log-prefix=""

In IP -> Firewall -> Address List create new address list width name AccessList and add there all IP addresses you want to use for remote connection to your router.

Allow OpenVPN connections:

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1194 log=no log-prefix=""

Allow PPTP VPN connections:

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1723 log=no log-prefix=""
add chain=input action=accept protocol=gre log=no

Allow SSTP VPN connection (443 port,
change port if yout SSTP server run on other port):

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""

Allow L2TP IPsec VPN connection:

add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp comment="allow L2TP VPN (500,4500,1701/udp)"

Drop all other connections to Mikrotik and to local network:

add chain=input action=drop in-interface-list=WAN log=no log-prefix=""
add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

In IP -> Services menu enable only SSH and Winbox services, for more security you can change default Winbox and SSH ports:

It is all you need to secure your home or office router and network.

Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.48.6. For more stability use firmware from “long term” channel.

Connect to OLT and go into the configuration mode:

enable
config

Let’s look at the current configuration and find the MAC address of the ONT you want to delete:

show running-config

Choose the interface (port) on which ONT is registered:

interface EPON0/1

And delete ONT, for example with mac address 8014.a8b4.eb2c:

no epon bind-onu mac e067.b336.88e8

Done.

To build 30 km point-to-point wireless connection on speed 100 Mbit/s we used two Cambium ePMP 1000 and two 27 dBi parabolic MIMO antennas.

To create point-to-point wireless link we need to configure first antenna as Access Point and the second antenna as Station. First of all make sure there are no interference in front of the antennas:

Let’s configure access point, to log in to the configuration panel open in your web browser address: 192.168.0.1 (Access Point) or 192.168.0.2 (Station). By default enter login: admin and password: admin

We will configure our link based on this schema:

On Access Point select SSID, your country code, work frequency, channel width (20 or 40 mHz) and security password:

Also to achieve the best result select TDD wireless protocol.

On the other side on Station antenna select the same parameters, but in Radio Mode select Subscriber Module.

Don’t forget to change default administrator passwords on both antennas and change your own static or dynamic IP addresses.

On page Monitor->Wireless make sure that your Station connected to Access Point:

We have two local networks on Mikrotik router, for example:
Network1: 192.168.1.0/24 on ether1 interface
Network2: 192.168.2.0/24 on ether2 interface

Let’s prevent access between devices of this two networks.

In Mikrotik terminal go to Firewall Filter:

/ip firewall filter

And create this two rules:

add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.1.0/24
add chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.2.0/24

That’s all, now Mikrotik will block all traffic from computers in Network1 to computers in Network2 and from Network2 to Network1.

All other traffic to Internet will be working normally.

If You want to block traffic only from Network2 to Network1 – write only one rule:

add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.1.0/24

If You have white IP on Your mikrotik You can watch high transmit traffic on the WAN interface.

To prevent this – block DNS traffic to 53 port on Your WAN interface (IP > Firewall > Filter):

On graph we can see that after blocking 53 port transmit traffic fell from 25 Mbit/s to 5 Mbit/s:

1. Create CA certificate on Mikrotik:

On tab “Key Usage” leave only crl sign and key cert. sign

2. Create server certificate:

On tab “Key Usage” uncheck all options:

3. Open certificate CA and Sign it:

CA CRL Host – host where your certificate will be checked, write there IP address or domain name of Your Mikrotik.

Field CA need to be empty.

4. Now we signed root certificate, let’s sign Server certificate: open Server certificate, click Sign, in field CA select certificate CA.

That’s all we created our certificates, now let’s create SSTP Server on Mikrotik

5. Creating SSTP Server on Mikrotik.

And now create Your user profile: go to PPP > Secrets, click Add (+) and write user name, password, service, IP address like on screenshot:

Configure SSTP client in Windows 10

First go to the System > Certificates and Export CA certificate:

Download certificate from Mikrotik > Files to Your PC and install it:

Now create new VPN connection:

Also You can use this SSTP connection in Linux – How to install SSTP Client in Linux read in this article: Connect to SSTP server from Linux

To enable compliance test in country list conntect to antenna by SSH to ip 192.168.1.20 and enter next command:

enable_ct

Then save configuration and refresh your browser:

save