Mikrotik
Firewall
Chain
- forward - Used to process packets passing through the router
- input - Used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
- output - Used to process packets originated from the router and leaving it through on of the interfaces. Packets passing through the router are not process against the rules of the output chain
- It is also possible to create own chains
DNS
DOH setup with Quad9
Update DNS Records from DHCP Leases
see MikroTik Script for Automatic DNS Records from DHCP Leases
Add the script to IP -> DHCP Server -> DHCP (tab) -> DHCP server instance -> Script (tab) -> Lease Script and change the :local dnsDomain "dynamic.example.local"
# When "1" all DNS entries with IP address of DHCP lease are removed
:local dnsRemoveAllByIp "1"
# When "1" all DNS entries with hostname of DHCP lease are removed
:local dnsRemoveAllByName "1"
# When "1" addition and removal of DNS entries is always done also for non-FQDN hostname
:local dnsAlwaysNonfqdn "1"
# DNS domain to add after DHCP client hostname
:local dnsDomain "dynamic.example.local"
# DNS TTL to set for DNS entries
:local dnsTtl "00:15:00"
# Source of DHCP client hostname, can be "lease-hostname" or any other lease attribute, like "host-name" or "comment"
:local leaseClientHostnameSource "lease-hostname"
:local leaseComment "dhcp-lease-script_$leaseServerName_$leaseClientHostnameSource"
:local leaseClientHostname
:if ($leaseClientHostnameSource = "lease-hostname") do={
:set leaseClientHostname $"lease-hostname"
} else={
:set leaseClientHostname ([:pick \
[/ip dhcp-server lease print as-value where server="$leaseServerName" address="$leaseActIP" mac-address="$leaseActMAC"] \
0]->"$leaseClientHostnameSource")
}
:local leaseClientHostnames "$leaseClientHostname"
:if ([:len [$dnsDomain]] > 0) do={
:if ($dnsAlwaysNonfqdn = "1") do={
:set leaseClientHostnames "$leaseClientHostname.$dnsDomain,$leaseClientHostname"
} else={
:set leaseClientHostnames "$leaseClientHostname.$dnsDomain"
}
}
:if ($dnsRemoveAllByIp = "1") do={
/ip dns static remove [/ip dns static find comment="$leaseComment" and address="$leaseActIP"]
}
:foreach h in=[:toarray value="$leaseClientHostnames"] do={
:if ($dnsRemoveAllByName = "1") do={
/ip dns static remove [/ip dns static find comment="$leaseComment" and name="$h"]
}
/ip dns static remove [/ip dns static find comment="$leaseComment" and address="$leaseActIP" and name="$h"]
:if ($leaseBound = "1") do={
:delay 1
/ip dns static add comment="$leaseComment" address="$leaseActIP" name="$h" ttl="$dnsTtl"
}
}
IPv6 Networking
see https://administrator.de/tutorial/ipv6-mittels-prefix-delegation-bei-pppoe-mikrotik-632633.html
DHCPv6 Client Settings - Telekom
- Interface: pppoe-out1
- Request: prefix
- Pool Name: pool-ipv6
- Pool Prefix Length: 64
- Check: Use Peer DNS, Rapid Commit, Add Default Route
Warning
- Pool Prefix Length must be set to 64!!!
- From https://forum.mikrotik.com/viewtopic.php?t=153437#p757747
- In other words, if the ISP gives you a /56 and you set "Pool Prefix Length" to 56, you are telling the MikroTik to create a pool of /56 subnets that just has a single /56 in it (since the ISP only gives you one). -> I think what you actually want is a "Pool Prefix Length" of 64 which means that when the ISP gives you a /56 you slice that up into 256 individual /64's which go into the pool.
-> Check Status
Set IP Address
/ipv6 address add address=::1/64 from-pool=pool-ipv6 interface=bridge
/ipv6 address add address=::1/64 from-pool=pool-ipv6 interface=<VLAN>
Wireguard VPN
EXTFW - OPNSense
- Public IP Address: vpn.dmdy.de
WireGuard Instance
- Name: wgEXTFW
- Public key: tcJ....
- Private key: *
- Listen Port: 51280
- Tunnel address: 172.16.0.1/24
router - MikroTik
WireGuard - Interface
- Name: wgEXT
- Type: WireGuard
- MTU: 1420
- Public Key: LOx..............