1. Routers with mikrotik and Alpine Linux¶
In this lab, a MikroTik router template and another Alpine template will be prepared to be used in the following scenario:
xxxx x xxx
xxx xx
xxxxxxxx xx
┌───────────┐ xx x
│ ROUTER │ xx x
│ default ├───────────xx internet x
│ isard │ xx x
└─────┬─────┘ xxxxxx x
│.1 x xx x x x x x x
│ default network
──┬────────────────┴────────────────────────────
│ 192.168.120.0/22
│
dhcp │.x.y
┌──────┴────────────┐
│ inet │
│ │
│ DESKTOP │dhcp wireguard-vpn network
│ ROUTER ISARD vpn ├───────────────────────────────────────┬────────
│ │.X.Y 10.2.0.0/16 │
│ lan1 │ │.0.1
└──────┬────────────┘ ┌───────┴────────┐
│.1 │ FIREWALL │
│ personal 1 network │ ISARD │
───┴────────┬────────────────────── └──────┬─────────┘
│ 192.168.88.0/24 │
dhcp│.X │
┌──────┴──────┐ ┌┴┐
│ eth0 │ │V│
│ │ │P│
│ DESKTOP │ │N│
│ │ └┬┘
│ internet │ │10.0.X.Y
│ access │ ┌──────────┴──────────┐
│ through │ │ wireguard │
│ personal │ │ │
│ network │ │ MY PC │
│ │ │ with isard user’s │
│ configure │ │ wireguard config │
│ mikrotik │ │ │
└─────────────┘ └─────────────────────┘
Mikrotik RouterOS in IsardVDI¶
We will need a desktop with Mikrotik’s RouterOS operating system to output the internet to a desktop that will connect to the personal network. This router will make NAT "MASQUERADE" towards the Default network (output to the Internet), which means that it will replace the source IP of the internal devices with its own public IP so that they can browse the Internet. You will also have a DHCP server. The router can be accessed through the personal VPN network to be able to configure it more practically from our PC.
This configuration can serve as a basis for other more complex network practices that exist in the following sections.
Create desktop with base routerOS cloning disk from image¶
We create a virtual desktop based on an ISO from the Rescue CD system.
We boot the Rescue CD system.
Once inside the desktop, we make several configurations:
# We change the keyboard to Spanish
setkmap es
# We remove Firewall rules and configure the default policy ACCEPT
# iptables -X: Removes all but default custom rule strings.
# iptables -F: Delete all rules within all strings.
# iptables -P INPUT ACCEPT: Sets the default policy for the INPUT string.
# All incoming connections will be accepted by default
iptables -X; iptables -F; iptables -P INPUT ACCEPT
We verify that there are no Firewall rules left and that the SSH service is listening:
iptables-save
ss -tlnp
# The expected output of these orders is:
[root@sysrescue ~]# iptables-save
*filter
:INPUT ACCEPT [78:13518]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [172:18618]
:LOGDROP - [0:0]
COMMIT
[root@sysrescue ~]# ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=375,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=375,fd=4))
Change root password:
passwd
If we want to connect to SSH from our team
If we want to enter the system from our PC, it is enough to access SSH because it does not have a graphical interface. To do this, we can follow this guide:
We go to the mikrotik website, where we can see the download links of all versions:
We look for the most recent stable image, in its img version. It is important that it has this format: chr-VERSIÓ-img.zip. Currently, the last stable is: chr-7.18.2.img.zip.
The download URL for this version is:
On the same download website, it indicates the sha256 signature of each file (which will vary for each file and version) that will help us to check if the file we will decompress later is authentic. In the case of the file and version that we will use for this practice, the signature is: 5452ab6b298458a3e266e2cdd4cf664cddbe44f5861991843d5924e3fa4d576f
With the following order we observe that we have 4 GB in the temporary directory to download the image:
[root@sysrescue ~]# df -h /tmp
Filesystem Size Used Avail Use% Mounted on
tmpfs 3.9G 0 3.9G 0% /tmp
We can download the file in the /tmp directory and verify the signature:
wget -O /tmp/routeros.img.zip https://download.mikrotik.com/routeros/7.18.2/chr-7.18.2.img.zip
sha256sum /tmp/routeros.img.zip
Once verified that the signature is valid, we decompress the content:
unzip -d /tmp/ /tmp/routeros.img.zip
This decompresses a file with a 128M disk image:
[root@sysrescue /tmp]# ls -lh /tmp/*.img
-rw-r--r-- 1 root root 128M Apr 17 13:50 /tmp/chr-7.18.2.img
Now we have to clone this image in the virtual disk /dev/vda:
[root@sysrescue /tmp]# hdparm /dev/vda
/dev/vda:
readonly = 0 (off)
readahead = 256 (on)
geometry = 41610/16/63, sectors = 41943040, start = 0
For this we will use the dd tool:
# if: input file, in this case the disk image file.
# of: output file, in this case is a virtual disk device.
# bs: read and write block size, for large files speeds up the writing that if not by default is done in small blocks.
# status: it tells you that we want to see the progress, useful if the file is very large; in our case, it will be almost instantaneous.
dd if=/tmp/chr-7.18.2.img of=/dev/vda bs=1M status=progress
Now we can turn off the virtual desktop with:
poweroff
We can now edit the desktop, and prepare it to create a template.
When editing, we modify these parameters:
- vCPUs: we can leave the 2 vCPUs that we had put before.
- Memory (GB): reduce memory to 1 GB.
- Boot: switch de CD/DVD to Hard Disk
- Networks: we can add more or modify them according to what we want to be fixed in the template, then the students can change it when creating the desktop. It is common for the first interface to be the internet output (Default), the second to VPN network access (WireGuardVPN) and the third interface to be connected to the personal network (Personal1).
- Take out ISO from system Rescue CD.
- Optional: we add an image to the card on the desktop.
Once the hardware changes have been made, , with the following name: routeros 7.18.2
Now we can continue working with our desk, which will now be based on this new template.
Mikrotik initial configuration¶
Once the desk is turned on, it will start with the Mikrotik image and give us access to its command line, as if we had first connected to the router via Telnet or serial port. An output must appear on the screen as in the following image:
We enter with:
-
Login: admin
-
Password: (press enter, as it has no password yet)
The first thing you ask us to do is to register a password. In this case, we will put the usual password of our templates "pirineus". And we access the prompt of mikrotik:
We verify that it has Internet access:
Preparing desktop for SSH connection from our team
If we want to enter the system from our PC, it is enough to access SSH because it does not have a graphical interface. To do this, we can follow this guide:
Before continuing, we are interested in being able to work more comfortably with a terminal where we can make a copy and pin commands. The viewer, having no graphical interface, does not allow us to use the clipboard between the virtual desktop and our computer.
To do this, the WireGuard VPN interface must be enabled. And tell the router that this interface must get a dynamic IP address for DHCP. The WireGuardVPN network offers a dynamic IP but no gateway by default.
We check that the active interfaces and their corresponding names:
interface print
We check that the second interface, that of WireGuardVPN, is called ether2. (depending on the position the interface is at when editing the virtual desktop).
We configure the IP address for DHCP, and wait until you get it:
ip dhcp-client add interface=ether2
We check that the IP and routes are correct. He added routing rules so that we can access from our computer through the personal VPN:
ip address print
ip router print
In this case, the IP in the ether2 interface is 10.2.239.24.
We should already be able to ping and access SSH from our team.
When connecting for SSH as we previously connected for this same IP to the Rescue CD system, it is likely that a key conflict will appear in de/.ssh/known_hosts, which we can solve by deleting the previous key:
ssh-keygen -f ~/.ssh/known_hosts -R "DESKTOP_IP_IN_THE_WIREGUARD_VPN_NETWORK"
To access, the admin username is used.
ssh admin@DESKTOP_IP_IN_THE_WIREGUARD_VPN_NETWORK
The result should be something similar to:
➜ ~ ssh admin@10.2.239.24
The authenticity of host '10.2.239.24 (10.2.239.24)' can't be established.
RSA key fingerprint is SHA256:+xpN6EIEw3LTfCzrmH7VWOwGN1cRqCH4RhaB8LkATEs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.2.239.24' (RSA) to the list of known hosts.
admin@10.2.239.24's password:
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 7.14.3 (c) 1999-2024 https://www.mikrotik.com/
Press F1 for help
[admin@MikroTik] >
And we would already have access to the command line by WireGuardVPN.
Configure internal network with DHCP and VPN server¶
At this point we will configure an internal LAN network where the router will act as a DHCP server and will mask the internet access.
The steps would be:
- Group interfaces in WAN and LAN. ether2 and ether3 belong to the internal/personal network (LAN). And ether1 on the external network, on the exit to the internet (WAN).
# INTERFACES LIST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=ether3 list=LAN # Personal 1 Interface
add comment=defconf interface=ether2 list=LAN # WireguardVPN Interface
add comment=defconf interface=ether1 list=WAN # Default/Internet output Interface.
# NEIGHBOR DISCOVER
# We apply this command so that the hosts of the LAN network can see each other.
/ip neighbor discovery-settings
set discover-interface-list=LAN
- Assign fixed IP to the ether3 interface (The Personal1 interface).
# INTERNAL IP ADDRESS
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether3 network=192.168.88.0
-
DHCP server
-
Create a pool of IP (range of directions).
# DHCP SERVER # We create the range of IP that we want to assign. /ip pool add name=default-dhcp ranges=192.168.88.100-192.168.88.254 -
Create a DHCP server with this IP pool.
# We specify that the DHCP service will be applied in the ether 3 interface, that is, all the equipment connected to this interface will receive a dynamic IP. /ip dhcp-server add address-pool=default-dhcp interface=ether3 name=defconf -
Add configuration to the DHCP server.
# We declare the network and the gateway that will have the hosts that obtain a dynamic IP. /ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 -
DNS server
-
Create a DNS server that forwards requests to an external DNS server.
# DNS server # We allow network devices to use the router as a DNS server, and we define the Google DNS server as an external server. /ip dns set allow-remote-requests=yes servers=8.8.8.8 # We assign the domain name "router.lan" for the router IP. /ip dns static add address=192.168.88.1 comment=defconf name=router.lan -
Set up Firewall to mask internet access from the internal network.
# FIREWALL MASQUERADE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipec-policy=out,none \
out-interface-list=WAN
- Restrict access and allow incoming connections by default, only from the internal network (LAN).
# FIREWALL
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipec policy" ipec-policy=in,ipec
add action=accept chain=forward comment="defconf: accept out ipec policy" ipec-policy=out,ipec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
- Rename the router.
# We change the name to the router.
/system identity
set name=mkt_isard
- Adjust the clock and time zone.
# We assign the time zone.
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes
# We add IP addresses of time-servers to which the router will connect to synchronize the clock.
/system ntp client servers
add address=213.251.52.234
add address=158.227.98.15
/system clock print
-
Rename interfaces:
-
ether1: inet (internet network Default)
- ether2: vpnisard (WireGuardVPN network to connect to our IsardVDI user VPN file)
-
ether3: lan1 (Personal1 network)
# RENAMING INTERFACES /interface ethernet set [ find default-name=ether1 ] disable-running-check=no name=inet set [ find default-name=ether3 ] disable-running-check=no name=lan1 set [ find default-name=ether2 ] disable-running-check=no name=vpnisard
And finally we do backup of the current configuration in case we want to recover it:
/system backup save name=defconf
We can turn off the router from the inside with this order:
/system/shutdown
Prepare router configuration as template¶
If we want this configuration to serve as a template, it is not as simple as a Windows or Linux operating system.
RouterOS associates interface configurations to their MAC directions. When cloning the disk, new MAC directions are generated, which causes the configurations previously tested in the interfaces to be disconnected and, therefore, the template does not serve other desktops.
Each desk derived from a template is created with another MAC address on each card, and therefore extra steps must be taken to make the template ready.
We save the configuration in a command list format:
/export file=initial
We copy the file locally from our PC or from a virtual desktop with Linux operating system:
scp admin@IP_DEL_ROUTER:/initial.rsc /tmp/initial.rsc
We modify the initial.rsc file by adding remove [find] to the DHCP client configuration part, as it automatically creates a DHCP client by default. In the section of the DHCP server configuration of the initial.rsc* file of the router, we have:
/ip dhcp-client
add interface=inet
add interface=vpnisard
We modify this part by:
/ip dhcp-client
remove [find]
add interface=inet
add interface=vpnisard
Now we only have to re-upload the file to the router and overwrite it (it is done directly when naming it with the same name):
scp /tmp/initial.rsc admin@ROUTER_IP:/initial.rsc
Within the router, we can see the list of files and verify that the file has been uploaded correctly by observing the LAST-MODIFIED column (date and time of last modification):
/file/print
Finally, it remains to be indicated to the router that, when starting for the first time, import the commands of the initial.rsc file.
/system/reset-configuration no-defaults=yes run-after-reset=initial.rsc
It will be restarted, and we must log in with the admin / [ENTER] user (no password), as if we were entering the router for the first time.
/log/print
/export
And lastly, we must repeat the reset of the configuration and that this time it turns off so that we can clone the current state of the router hard drive into a template.
/system/reset-configuration no-defaults=yes run-after-reset=initial.rsc shutdown=yes
The desktop will be turned off and we can with the name router 7.14 inet-vpn-lan.
To verify that the steps of the guide have been completed and everything works properly, it is necessary to create a new test desktop based on this template, since the current one will keep the same MAC directions and will be valid.
We create a desktop with the name test based on the template we just created "router 7.14 inet-vpn-lan*" and check that the configurations made in the router make their effect on the client. If the result is satisfactory, this template is ready to be used in the internship.
Client in the internal network¶
We create a desktop for the client:
- Template: Vitalinux, Ubuntu, Windows (any preference)
- Networks: only a Personal1 Network
If we connect with the SPICE viewer, we can copy and paste the desk using the clipboard.
From inside the desktop client (in this case we use Vitalinux), check the following:
- The first interface (Personal1) acquires IP for DHCP.
ip -c a s ens3
# Expected result
isard@vitalinux:~/Desktop$ ip -c a s ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:75:d3:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.88.254/24 brd 192.168.88.255 scope global dynamic noprefixroute ens3
valid_lft 1581sec preferred_lft 1581sec
inet6 fe80::a8d3:848f:4f11:3ca8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
- We check internet connectivity with ping at 8.8.8.8.
ping -c 1 8.8.8.8
# Expected result
isard@vitalinux:~/Desktop$ ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=15.0 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 15.017/15.017/15.017/0.000 ms
- The DNS configuration is correct.
systemd-resolve --status ens3
# Expected result
isard@vitalinux:~/Desktop$ systemd-resolve --status ens3
Link 2 (ens3)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.88.1
192.168.120.1
DNS Domain: ~.
- It is possible to perform ping in a DNS address (domain name).
ping -c 1 www.google.es
# Expected result
isard@vitalinux:~/Desktop$ ping -c 1 www.google.es
PING www.google.es (216.58.215.163) 56(84) bytes of data.
64 bytes from mad41s07-in-f3.1e100.net (216.58.215.163): icmp_seq=1 ttl=116 time=19.3 ms
--- www.google.es ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 19.352/19.352/19.352/0.000 ms
Use Winbox (graphic tool) to configure Mikrotik from Linux¶
From a client connected to the internal LAN network, we can use the Winbox tool.
To use Winbox on Linux distributions, we will need the Wine package, which allows you to boot certain applications compiled for Windows into Linux. It is possible that for some Linux distributions it is already installed.
We can download Winbox from the mikrotik website or from terminal:
wget -O ~/winbox.exe https://download.mikrotik.com/routeros/winbox/3.40/winbox64.exe
And we start it with the order:
wine /ruta/de/descarga/winbox.exe
If it is the first time we start Wine, some messages may appear requesting the installation of additional elements. These can be ignored, as they are not necessary for the Winbox tool to work.
We arrive at a screen like the one in the image, where to enter we have to fill the boxes with the router IP and the password:
Additional settings for the Winbox experience
We can download the desktop icon:
wget -O ~/winbox_icon.png https://github.com/juanchixd/Mikrotik-linux/blob/main/icons/winbox-128x128.png?raw=true
Create a direct link on our desktop:
cat <<'EOF' > ~/Desktop/Winbox_Mikrotik.desktop
[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=Open Desktop
Name[en]=Winbox Mikrotik
Name[es]=Winbox Mikrotik
Name[es_ES]=Winbox Mikrotik
Exec=sh -c "wine /home/isard/winbox.exe"
Categories=;
Type=Application
Terminal=false
Icon=/home/isard/winbox_icon.png
EOF
Copy to autostart directory to run on boot:
cp -a ~/Desktop/Winbox_Mikrotik.desktop ~/.config/autostart/
# We restart the system to check that it works.
reboot
We can save this client desktop with the name "client Winbox Vitalinux".
Router based on Alpine Linux¶
Create Alpine Linux base generic template¶
To create the writing we will need the ISO of Alpine. We can find it on your official website:
We enter the Alpine website and look for the standard version for x86:64 architecture. Copy the URL and download the ISO in IsardVDI (
We create a script with these characteristics:
- vCPUs: 2
- Memory (GB): 1 GB
- Disk size (GB): 40 GB
- Networks: a single interface to create the generic template.
- Hardware profile: debian10
To install the system, we start as a root user and it will NOT ask us to password.
We run setup-alpine and follow the steps of the assistant to configure network, time zone, etc.
The objective is to prepare an initial script to be able to establish the Firewall rules, routes and actions that we want to perform when starting the router.
We create a first script:
touch /usr/local/bin/startup_script.sh
chmod u+x /usr/local/bin/startup_script.sh
The script's content may be:
#!/bin/bash
ip address show >> /tmp/log_ip.txt
We create the service ticket:
touch /etc/init.d/router
chmod u+x /etc/init.d/router
The service ticket must contain:
#!/sbin/openrc-run
depend() {
after sshd
}
start() {
ebegin "router starting"
/usr/local/bin/startup_script.sh
eend $?
}
Activate the service:
rc-update add router default
Activate forwarding bit:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
We can verify if it is active after a reboot (system restart) looking at the following file:
cat /proc/sys/net/ipv4/ip_forward
We install the necessary packages for network functions:
apk add iptables iproute2 dnsmasq
Prepare connection by SSH by WireGuardVPN
If we want to enter the system from our PC, we can follow this guide:
To make it work, it is necessary to perform some commands inside the machine:
- To be able to enter through SSH, turn on the eth1 interface and tell it to get IP by DHCP:
ip link set eth1 up udhcpc -i eth1 ip route add 10.0.0.0/14 via 10.2.0.1 - To allow entry as root user, we can configure /etc/ssh/sshd_config, modifying the line:
PermitRootLogin yes
Turn off the script and with the Alpine redes v1 number.
Linux network configuration¶
Once the Alpine template has been created, we can start working on it and configure the network to our liking. In this section, we propose a way to do it. This router will be assigned the IP address 192.168.88.2/24 so that it does not interfere with the Mikrotik router, created in the previous section, and thus be able to work with the two routers in the same network.
We add WireGuardVPN and Personal1 network interfaces, and they should be like this:
- eth0: Default (internet output)
- eth1: WireGuardVPN
- eth2: Personal1
Once inside the virtual desktop, we edit the script /usr/local/bin/startup_script.sh and add the following content:
#!/bin/bash
# CONFIGURE ISARDVDI USER VPN IP
# By adding the path manually, since udhcpc does not set it by default.
ip link set eth1 name vpnisard
ip link set vpnisard up
udhcpc -i vpnisard
ip route add 10.0.0.0/14 via 10.2.0.1
# CONFIGURE IP LAN1
ip link set eth2 name lan1
ip link set lan1 up
ip address add 192.168.88.2/24 dev lan1
# DHCP SERVER
# Create configuration file
cat <<'EOF' > /etc/dnsmasq_router.conf
interface=lan1
dhcp-range=192.168.88.20,192.168.88.99,255.255.255.0,24h
dhcp-option=3,192.168.88.2
dhcp-option=6,8.8.8.8,1.1.1.1
EOF
# Boot dnsmasq server
dnsmasq --conf-file=/etc/dnsmasq_router.conf
# NAT MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Once it's confirmed that everything is functioning correctly, through a separate desktop acting as a client used to verify that it obtains an IP address, has internet access, and can resolve DNS names...
with the name router-Alpine.