Posted by & filed under mikrotik, pfSense, RouterOS.

In this tutorial we will look at how to set up a site to site VPN between a pfSense server and a Mikrotik client using OpenVPN the proper way. We’ll be taking advantage of pfSenses superb certificate management features to do SSL/TLS instead of just a pre-shared key.

Our client will be a Routerboard RB2011 detailed in a earlier post that connects to a pfSense server. Only the local networks will be shared between the two sites, sharing the external address of the server with the client is out of scope of this tutorial. In my scenario the client’s local network will be 192.168.11.0/24 and the server’s 192.168.0.0/24. Out encryption will be AES with a key size of 256bit (the maximum that RouterOS supports on this router as of now).

Let’s first connect to our router and set up the bare minimum. If you don’t know how to do that please refer to this tutorial to get you started. After we connect via winbox go to Quick Set:

01

And change the defaults to suit our needs:

03

Of course after applying the settings it will disconnect because of the network change:

04

Now to the server side of things. Log in to pfSense and go to System -> Cert. Manager:

05

The Certificate Manager screen will default to the CAs, where u can see your Certificate Authorities. If you don’t already have a dedicated CA for site to site VPNs than I highly suggest setting up one here. In my case we will be using the one that starts with bb (it stands for Back-Bone):

07

Navigating to Certificates we will see our certificates. At the very least there will be the webConfigurator present:

08

In my case I have a lot, so i scroll to the bottom to Add a new one:

09

The Add a New Certificate screen will appear:

10

We don’t wan’t to import but rather create a new one, so let’s start by creating a server certificate. Give it a descriptive name, in my case it will be bb-server-SOMETHING, where SOMETHING is the remote locations name. Set the Digest to sha256, the type to Server Certificate and fill in the rest of the required fields as applicable:

11

Now let’s add another one but here we will set the descriptive name to bb-client-SOMETHING and the certificate type to User Certificate, the digest remains sha256:

12

Now that we have our certificates we are ready to create our VPN server. Go to VPN -> OpenVPN:

13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

routerboard

Posted by & filed under mikrotik, RouterOS.

Let’s talk about Mikrotik’s RB2011 routers for a second. They are pretty nifty, even though on the hardware side they are a bit lacking the software makes more than up for it.

There are a lot of different sub-models, this one, RB2011UiAS-2HnD-IN is the beefiest, featuring an SFP cage, b/g/n Wireless, a micro-USB port and an LCD screen. The cheapest one, RB2011iL-IN has none of those options and half the memory. They are all powered by the Atheros AR9344 SOC that is somewhat overclocked at 600 MHz. In addition there is 7 port gigabit switch, AR8327 made as well by Atheros. As mentioned earlier we can chose between 64 MB or 128 MB of ram memory and for storage we have 128 MB of NAND on every model. Since the SOC is a bit old we get 5x 10/100 (Fast) Ethernet ports, but we also get 5x 10/100/1000 (Gigabit) Ethernet ports as well bringing up the total of usable ports to 10 (11 if you count the SFP as well).

RB2011UAS-2HnD-IN

 

It is running RouterOS, a proprietary operating system Mikrotik makes based on the Linux kernel. It has a lot of features, like firewalling, shaping, qos, all kind of vpn servers and clients, etc. Besides being installed on the company made routers it can be purchased separately for x86 based systems as well. The preferred method of configuring it is via the winbox appliction, It can be donwloaded from the manufacturers website.

Here is the login screen:

01

 

Usually the IP address of a new router is 192.168.88.1 the default administrator user is admin with no password set. After we log the router wants to apply a default configuration and prompts us if we agree:

02

 

After we agree we can thinker around with the router a bit. Let’s go to Quick Set:

03

 

The Quick Set panel appears. Here we can quickly set up a few things like LAN and WAN IPs, Wireless, administrator password, etc. Let’s change the default WISP AP mode to Home AP:

04

 

It will prompt us that it might lose connectivity, press Yes:

05

 

After the change is committed we get some more options, namely Guest Wireless Network. Before we configure it further, let us first check for any firmware updates, by clicking Check For Updates:

06

 

Check For Updates panel appears. I strongly suggest to leave the Channel on current. It shows that the latest version is 6.34.4, but the installed one is only 6.33.1. It also show’s what are the new features and bug-fixes in this version. Let’s update our router by clicking Download&Install:

07

 

It will start downloading and installing the new firmware. After it’s done an automatic reboot is invoked:

08

 

That of course will kick us out of the interface. Let’s wait a bit till it’s fully booted up and press Reconnect:

09

 

After we log in we can see that all the windows left open are still there, and that the installed version now matches the latest. We can now hit OK to get back to the configuration panel:

10

 

Now we can configure the router properly. Enter a Network Name for the Wireless and a Guest Network for the Guest Wireless fields. Those will be the SSIDs that will be advertised by the router. Set the WiFi Password (by default it use both WPA and WPA2 auth and AES ciphers, we can change those later) for the main WiFi and set a Download Limit of 1 Mbps for the guest WiFi. On the right side of the panel we can change the Internet interfaces port, Address Acquisition type even spoof a MAC address. Below that we can change the Local Network settings: the routers IP and Netmask, if we want to run a DHCP Server or not and the address range(s) that it will give out. Lastly we can set the administrator password here as well. For the purposes of this tutorial i will leave everything at it’s default values. Note that the WAN address is 192.168.0.149 and the router will NAT between that and the 192.168.88.0/24 subnet.

11

 

Note that on the router itself physically there is no marking for what the WAN and what the LAN ports are as opposite to the commonly found consumer routers made by Linksys, Asus, Tp-link and the like. That is because we have full control on how things are connected together. Let’s go to the Bridge menu and check out what’s bridged with what. On the Bridge tab we can see that there is only one bridge named bridge-local:

12

 

On the Ports tab we can see what physical port is actually a member of that bridge. In this case the Ethernet port number 2, number 6, the SFP port and the two WiFi ports all belong to the bridge-local bridge. Port number 1 is missing since it is the WAN port in this configuration, and ports 3, 4, 5, 7, 8, 9 and 10 are connected to the bridge as well, but in a different way, we will see how a bit later.

13

 

If we go to the Filters tab, we can see that we already have two rules. Those two rules drop all packets that come in from the wlan2 WIFi interface (our guest wifi) and want to access the bridge and vice versa. This is how the guest WiFi is isolated from the rest of the LAN. Users on the guest WiFi still get an IP in the 192.168.88.0/24 subnet, but they can only access the router (and the internet since the router is NAT-ing) and nothing else, not even other guest WiFi users.

14

 

Let’s go and check out the Wireless Tables by clicking Wireless in the left menu, as we expect we can see the two WiFi interfaces:

15

 

Going to the Access List tab we can see that there is a rule applied to the guest WiFi interface:

16

 

Remember when we set the maximum download speed of the guest WiFi interface to 1 Mbps? This is where that is set. Let’s check the rule in more detail:

17

 

Some ports where missing from the bridge yet they still worked, but how? They are set under the Switch menu, let’s take a closer look. In the Switch tab we can see that we have 2 switches:

18

 

On the Port tab we can see what port belongs to what switch. Remember that this router has two switches: the SOC itself with 5x fast Ethernet ports and another with 5x gigabit ports. Ethernet port 1 is the gateway, port 2 is the master of ports 3, 4, 5 and port 6 is the master of ports 7, 8, 9, 10.

19

 

Now let us look at the individual interfaces by clicking Interfaces on the menu. Here we can change where each port belongs, divide the switch into different segments (for example if we want a wired guest networks as well, not just wireless, etc.). Note that these are all different interfaces, meaning that for example the MAC address of port 8 is different from port 9:

20

 

Lastly these are the firewall rules that where set during the Quick Set. The Firewall can be accessed under IP -> Firewall. The first tab shows the Filter Rules:

21

 

And on the NAT tab we can see how everything is masqueraded on to port 1, the gateway.

22

 

As you can see the Quick Set option sets up the router pretty well and really fast, but for mode advanced stuff we gonna have to do everything manually.