NETWORK

CONFIGURATION
By FONYUY Boris Lami

WIICOM SARL
 NETWORK CONFIGURATION

Table of Contents
1 Introduction..............................................................................................................................1

2 Main prerequisites for configuration.......................................................................................1

3 Resetting MikroTik Router......................................................................................................1

3.1 Method 1...........................................................................................................................2

3.2 Method 2...........................................................................................................................2

3.3 Method 3...........................................................................................................................2

3.4 Method 4...........................................................................................................................3

4 First Login...............................................................................................................................3

5 Protecting the Router...............................................................................................................3

5.1 User Password Access and IP connectivity access...........................................................3

5.1.1 User with full access..................................................................................................4

5.1.2 User with read only privileges...................................................................................4

5.1.3 Remove default admin user for security measures....................................................4

5.2 MAC Connectivity Access................................................................................................4

5.3 Administrative Services....................................................................................................5

6 Upgrade the MikroTik OS.......................................................................................................7

7 General Configurations............................................................................................................8

7.1 Naming a router................................................................................................................8

7.2 Setting router loopback.....................................................................................................8

7.3 Renaming an interface......................................................................................................8

7.4 Setting IPv4 addresses for router interfaces......................................................................9

7.5 OSPF...............................................................................................................................11

7.6 MPLS..............................................................................................................................13

7.7 DHCP..............................................................................................................................13

i
 NETWORK CONFIGURATION
7.8 NAT................................................................................................................................14

8 Yaounde Region....................................................................................................................14

8.1 Telephony Network.........................................................................................................14

8.1.1 PE-Internet...............................................................................................................14

8.1.2 PE-Ngoa-Ekelle-Tel................................................................................................15

8.1.3 PYaounde.................................................................................................................15

8.1.4 PE-Data-Center-1....................................................................................................15

8.1.5 PE-Mbankolo-Tel....................................................................................................16

8.1.6 PE-Soa-Tel...............................................................................................................16

8.1.7 PE-Petit-marche-Tel................................................................................................17

8.1.8 PE-Data-Center-Siege..............................................................................................17

8.1.9 PE-Siege..................................................................................................................17

8.1.10 PE-Internet-Siege.....................................................................................................18

8.1.11 CE-Monitoring-Telephonie.....................................................................................18

8.1.12 CE-Siege-Telephonie...............................................................................................18

8.1.13 Connectique Network..............................................................................................19

8.1.14 Telephone and Connectique network......................................................................20

9 Conclusion.............................................................................................................................21

ii
 NETWORK CONFIGURATION

List of Figures
Figure 1: Telephony Network........................................................................................................19
Figure 2: Connectique Network.....................................................................................................20
Figure 3: Telephony and Connectique Network............................................................................21

iii
 NETWORK CONFIGURATION

1 Introduction
This document presents various proposed configurations for the telephone and “connectique”
network for WIICOM SARL. Prior to effective configurations of each router, we will commence
by resetting the router in order to remove all previous configurations, remove unnecessary
default configurations, upgrade the OS of the router then proceed to proper configurations of the
telephone and “connectique” network.

2 Main prerequisites for configuration

 PC with an OS
 Winbox
Download at link https://download.mikrotik.com/winbox/3.23/winbox64.exe for 64bit
Winbox 3.23 and https://download.mikrotik.com/winbox/3.23/winbox32.exe for the 32bit
3.23 Winbox version which is the most recent version available at the time of this
document. To avoid having some functional limitations, do ensure that you’re using most
recent stable version of Winbox is 3.23 64bits and 32bit versions.
 MikroTik Router(s) to be configured
 Connection between PC and MikroTik router via of the available RJ45 Ethernet ports
using a straight through UTP Cat 5 cable with RJ45 connectors. It’s advisable to use the
MikroTik port which is not going to be modified to avoid being logged out of the router
due to configuration made on a given port.

3 Resetting MikroTik Router

The objective of resetting a router prior to configuration is to ensure that no previous units that
we are not conscious of and cannot account for, be erased so that we have a clean router ready to
receive new configurations.

iv
 NETWORK CONFIGURATION
There are a variety of ways by which the configurations of a MikroTik router can be reset, here
we will present 4 of such methods. It should be noted that the first two methods don’t require
access to the router’s configuration interface whereas the last two require that the user should
have access to the router’s configuration interface. Feel free to use a combination of these

3.1 Method 1
o Connect the router to a power supply
o Use the touch pad screen to find and choose the option Reset configuration
o When prompted to ENTER THE PIN CODE, enter 1234 and validate then wait for the
router to reset and reboot

3.2 Method 2
o Plug device to power supply
o Use a little pin to inert in the port labeled RESET which is found between the Ethernet
ports and VGA port in Cloud Core MikroTik routers and maintain the button pressed
until LED starts flashing then release.
o The router configurations will reset and reboot

3.3 Method 3
o This method is used if you have access to the configuration interface of the router and
this is done by using the following command in the router’s terminal window. It should
be noted that this command ensures that the router is absolutely clean with no default
configurations.

/system reset-configuration no-defaults=yes skip-backup=yes keep-users=no

When the router prompts for confirmation by saying “Dangerous! Reset anyway? [y/N]:”,
Enter y which means “Yes”

v
 NETWORK CONFIGURATION
3.4 Method 4
o This method is similar to Method 3 but involves the use of the the GUI proposed by
MikroTik, go to the menu on the left and click on System.
o In the drop down menu that appears, select Reset Configuration.
o In the box that appears, click on Reset Configuration and when prompted for
confirmation to reset configuration and reboot accept by clicking on Yes

At this level, the MikroTik router has been successfully resetted.

4 First Login
After resetting a MikroTik router, the default user with read and write permissions in the router
has the following credentials

Login: admin
Password:

Successful first login to router

5 Protecting the Router

5.1 User Password Access and IP connectivity access
We will create a number of users with given privilidges based on the agreed policy to be applied.
Here we will illustrate the creation of two users names user_one_all, user_two_read_only. As
concerns passwords, it’s advisable to have passwords with a minimum of 20 characters which
comprise a combination of numbers, symbols, uppercase and lowercase letters and that do not
follow a pattern. Different passwords for different routers and different users. We will end by
eliminating the default user admin for security reasons. In the example illustrated, only hosts in
192.168.10.0/24 network can access the router using the corresponding user.

vi
 NETWORK CONFIGURATION
5.1.1 User with full access
Enter the following command in terminal to create a user with full privileges

/user add name=user_one_all password=a+&WR=*r2F!PWa#T5*U+

disabled=no group=full comment="user_one_all is a full access user"
address=192.168.10.0/24

5.1.2 User with read only privileges

Enter the following command to create a user with no write priviledges

/user add name=user_two_read_only password=FhYX8n&Kp8?y3F$2^G#p

disabled=no group=read comment="user_two_read_all cannot modify
configurations in the router" address=192.168.10.0/24

5.1.3 Remove default admin user for security measures

/user remove admin

It should be noted that there group types can be created based on the user define polices agreed
upon by WIICOM using the following command in terminal. The policies are separated by a
commas

api ftp password read romon sniff telnet tikapp winbox

dude local policy reboot sensitive ssh test web write

An example showing a group

/user group add name=group_name policy=write,winbox comment="description

of newly created group"

5.2 MAC Connectivity Access

By default, mac server runs on all interfaces, so we will disable this using the following
command in terminal

vii
 NETWORK CONFIGURATION
/tool mac-server set allowed-interface-list=none

Similarly, for the WinBox Mac Access, the following command is used to disabled this service

/tool mac-server mac-winbox set allowed-interface-list=none

5.3 Administrative Services

Although firewall protect the router from public interface, you may still want to disable
RouterOS services especially the ones that are not of used for now.

Most of RouterOS administrative tools are configured at /ip service  menu

Keep only secure ones,

/ip service disable telnet,ftp,www,api,api-ssl

Change default service ports, this will immediately stop most of the random SSH brute force
login attempts:

/ip service set ssh port=4500

Additionally, each service can be secured by allowed IP address or address range

ip service set winbox address=aa.bb.cc.dd/e

Bandwidth server is used to test throughput between two MikroTik routers. Disable it in the
production environment.

/tool bandwidth-server set enabled=no

Router might have DNS cache enabled, which decreases resolving time for DNS requests from
clients to remote servers. In case DNS cache is not required on your router or another router is
used for such purposes, disable it. In the case of WIICOM, there is a DNS server.

/ip dns set allow-remote-requests=no

viii
 NETWORK CONFIGURATION
Some RouterBOARDs have an LCD module for informational purposes, set pin or disable it.

/lcd set enabled=no

It is good practice to disable all unused interfaces on your router, in order to decrease
unauthorized access to your router.

Suppose we are connected to the port ether-n for configurations, we can run the following script
to disable interfaces 1 to n−1 and n+1 to the N where N is the total number of interfaces

{
#Ensure that the interface to which you’re connected to do configurations in
#no in the array named interfacesToDisable. In this example, ether10 is
#connected to a PC for configurations.
:local interfacesToDisable { "ether1" ; "ether2" ; "ether3" ; "ether4" ; "ether5" ;
"ether6" ; "ether7" ; "ether8" ; "ether9" ; "ether11" ; "ether12"};
:foreach disableThisInterface in=$interfacesToDisable do={
:local idInterfaceToDisable
:set idInterfaceToDisable [/interface ethernet find name=disableThisInterface]
/interface ethernet set idInterfaceToDisable disabled=yes
}
}

RouterOS utilizes stronger crypto for SSH, most newer programs use it, to turn on SSH strong
crypto

/ip ssh set strong-crypto=yes

Following services are disabled by default, nevertheless it is better to make sure that none of
them were enabled accidentally. This is to ensure that

MikroTik caching proxy,

/ip proxy set enabled=no

ix
 NETWORK CONFIGURATION
MikroTik socks proxy,

/ip socks set enabled=no

MikroTik UPNP service,

/ip upnp set enabled=no

MikroTik dynamic name service or IP cloud,

/ip cloud set ddns-enabled=no update-time=no

6 Upgrade the MikroTik OS

To ensure that we are up to date with MikroTik OS versions, we can download the most recent
stable RouterOS which is 6.46.6 using the link
https://download.mikrotik.com/routeros/6.46.6/routeros-mipsbe-6.46.6.npk for MIPSBE or
https://download.mikrotik.com/routeros/6.46.6/routeros-smips-6.46.6.npk for SMIPS or
https://download.mikrotik.com/routeros/6.46.6/routeros-tile-6.46.6.npk for TILE or
https://download.mikrotik.com/routeros/6.46.6/routeros-mmips-6.46.6.npk for MMIPS. In order
to know the architecture name of the router you’re using, check at the end of the title bar or run
the following command in MikroTik terminal to know the architecture name,

:put [/system resource get architecture-name]

It is possible that when this document is being exploited, there will be a more recent stable
version, do ensure that you install the most stable RouterOS version. Subsequently, an auto
upgrade could be preview and this upgrade placed in a scheduler to be activated at a given time
of the night when the network is least saturated, this will depend on the agreed policy of
WIICOM. This will be discussed in a later document.

x
 NETWORK CONFIGURATION

7 General Configurations
7.1 Naming a router
Setting a name for router permits for easy identification in the network. The following command
is used to set router name

/system identity set name=router_name

For example, for PE-Mbankolo, we will have

/system identity set name=PE-Mbankolo

It’s usually important to give meaning names for interfaces to easily identify the interface later

7.2 Setting router loopback

The following command is used to add an interface name loopback. A loopback address is a type
of IP address that is used to test the communication or transportation medium on a local network
card and/or for testing network applications. Data packets sent on a loopback address are re-
routed back to the orginating node without any alteration or modification. Also, a loopback
address can be subsequently used as router-id when it comes to the configuration of OSPF

/interface bridge add name=loopback protocol-mode=none

/ip address add address=valid_host_ipv4_address/32 interface=loopback

For example, to set 1.1.1.1/32 as a loopback address, we use the following commands in terminal

/interface bridge add name=loopback protocol-mode=none

/ip address add address=1.1.1.1/32 interface=loopback

7.3 Renaming an interface

It can important to rename an interface to ease configurations using the following commands

/interface ethernet set ether1 name=ether1_new_name

xi
 NETWORK CONFIGURATION
Where ether1_new_name is the new name given to interface ether1. It’s advisable to maintain
the ether1 to avoid mistakes in physical connections and confusions of identifying the renamed
interface. Another approach to minimize confusion is using explicit names and physically
placing this label on the router interface. The following script renames the interfaces from their
previous names which are the keys to the new names which are the values in the array.

{
:local renameInterfaces { "ether1"="ether1_new_name_one" ;
"ether2"="ether2_new_name_two" ; "ether3"="ether3_new_name_three" ;
"ether4"="ether4_new_name_four" ; "ether5"="ether5_new_name_five" }
/interface ethernet
:foreach previousInterfaceName,newInterfaceName in=$renameInterfaces
do={ set $previousInterfaceName name=$newInterfaceName}
}

7.4 Setting IPv4 addresses for router interfaces

The following command is used to set an ipv4 address on an interface

/ip address add address=aa.bb.cc.dd/e interface=ether1_new_name_one

network=ff.gg.hh.ii/j broadcast=kk.ll.mm.nn/p disabled=no

In other to configure an IPv4 address on an interface, of a MikroTik router, the most important
information is

o Ipv4 address aa.bb.cc.dd/e

o Network address ff.gg.hh.ii/j
o Broadcast address kk.ll.mm.nn/p
o Interface name_interface
o Comment “This interface is meant for …”

xii
 NETWORK CONFIGURATION
With this information gotten from the document for IPv4 addresses, we will create a nested 2D
array containing all this info. It should be noted that the bolded sections in the following
template should be replaced with real information.

{
:local configureRouterInterfaces {
“name_of_interface_one”={
“address”=”ipv4_address_one”;
“network”=”network_address_one”;
“broadcast”=”broadcast_address_one”;
“comment”=”useful_comment_one”
};
“name_of_interface_two”={
“address”=”ipv4_address_two”;
“network”=”network_address_two”;
“broadcast”=”broadcast_address_two”;
“comment”=”useful_comment_two”;
}
}
/ip address
:foreach interfaceName,interfaceConfig in=$configureRouterInterfaces do={
add interface=$interfaceName address=$interfaceConfig->”address”
network=$interfaceConfig->”network” broadcast=$interfaceConfig->”broadcast”
comment=$interfaceConfig->”comment” disabled=no}
}

7.5 OSPF
In other to configure OSPF routing, we will have the following in mind

xiii
 NETWORK CONFIGURATION
o P routers will serve as ABR (Area Border Routers) this is to ensure that LSA (Link State
Advertisement) within an area shouldn’t cross to another area
o DR and BDR will be generated by the OSPF algorithm
o The naming of areas will be done with the help of the name of the region (NB: this region
is not administrative)
o 32bit Router IDs will be set for each router as per the agreed convention.

We will present template scripts for the configuration of OSPF in a router

The following command is used to create an area named yaounde_region

/routing ospf area add area name=yaounde_region

To add a set of networks to a given area, we can use the following script to create an area and
add networks to this area. It should be noted that these networks should comprise networks to
which the router being configure is connected to other routers of the same area on which OSPF
has be activated or will be activated. This script also fixes a router id for OSPF, in the absence of
a router id, one of the addresses on the router will be used as a router id

{
:local networksInOSPFArea { “1.1.1.1/32”, “192.168.10.0/30”,
“192.168.10.4/30”, “192.168.10.8/30”, “192.168.10.12/30”,
“192.168.10.16/30” }
:local nameOfArea yaounde_region
:local areaId “0.0.0.1”
:local nameOfInstance “name_of_instance”
:local routerId “1.1.1.1”
/routing ospf area add area name=$nameOfArea area-id=$areaId
#We will use the default instance but rename it and set router-id to loopback
#Other default parameters but for one will be modified for now
/routing ospf instance set 0 name=$nameOfInstance router-id=$routerId
/routing ospf network

xiv
 NETWORK CONFIGURATION
:foreach networkForOSPF in=$networksInOSPFArea do={
add area=$nameOfArea network=$networkForOSPF}
}

To verify if OSPF instance is running on router, run the following command

/routing ospf monitor once

The following command is used to verify the elected DR and BDR with the various advances
established by OSPF after the exchange of LSA via Hello Packets.

/routing ospf neighbor print

The following command is used to check whether LSA tables were generated properly.

/routing ospf lsa print

By default, the authentication for exchange of LSA is not activated. This is dangerous as a packet
sniffer attack is easy and can lead to OSPF misconfiguration. To avoid such, MD5 authentication
should be configured on all OSPF interfaces. The following command can be used

/routing ospf interface add interface=ether1 authentication=md5

The default options can be modified when need arises and other interfaces added with MD5
authentication.

In order to ensure that networks that are connected to an OSPF router but not necessarily part of
the initially added networks to the area but will have the router advertise the reachability to their
network. This is achieved via the following command. Supposing that only the router instance
with number 0 is running, we will use

/routing ospf instance set 0 redistribute-connected=as-type-1

xv
 NETWORK CONFIGURATION
7.6 MPLS
Basic MPLS configuration is achieved on desired interfaces by running the following script with
mplsInterfaces containing an array of the various interfaces on which MPLS will be activated.
LDP (Label Distribution Protocol) is also enabled to ensure exchange of labels between LSRs
and LERs.

{
:local lsrAndTranportAddress “1.1.1.1”
:local mplsInterfaces {“ether1”, “ether2”, “ether3”}
#enabling LDP
/mpls ldp set enabled=yes lsr-id=$lsrAndTranportAddress transport-
address=$lsrAndTranportAddress

/mpls ldp interface

:foreach interface in=$mplsInterfaces do={
add interface=$interface}
}

7.7 DHCP
The following command is used to define DHCP pool,

/ip pool add name=CE1pool ranges=30.4.0.2-30.4.15.254

The following command is used to set the DHCP server on a given interface, with lease time 1h

/ip dhcp-server add address-pool=CE1pool disabled=no interface=ether3 lease-

time=1h name=CE1

/ip dhcp-client add disabled=no interface=ether3

Let’s specify the gateway, dns server and network address for the DHCP Server Network

xvi
 NETWORK CONFIGURATION
/ip dhcp-server network
add address=30.4.0.0/20 dns-server=8.8.8.8,8.8.4.4 gateway=30.4.0.1
comment="CE1"

MikroTik has a way to quickly setup DHCP on an interface by entering the command and then
enter the required information judiciously.

/ip dhcp-server setup

7.8 NAT
All routers that are connected to the internet should have NAT activated using the following
command with ether3 being the interface facing the internet

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether3

8 Yaounde Region
8.1 Telephony Network
Presented below is a diagrammatic representation of the telephone network. After previously
elaborating a number of technologies that should be activated for use to have a functional MPLS
network, we will consider each router and outline the various technologies that should be
activated. The practicality will be demonstrated in simulation and a template made for P, PE and
CE routers generally then particular aspects for Data Center routers and Internet Routers.
Protective credentials can be saved for later with the main objective now being, having a
functional MPLS network. A dynamic security script to secure all routers based on all the
aforementioned security measures.

8.1.1 PE-Internet
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1 in OSPF area named yaounde_region

o Activate LDP in router

xvii
 NETWORK CONFIGURATION
o Add ether1 to MPLS

o NAT with output interface ether3

8.1.2 PE-Ngoa-Ekelle-Tel
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1, ether2, ether3, ether4 and ether5 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1, ether2, ether3, ether4 and ether5 to MPLS

8.1.3 PYaounde
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1 to MPLS

o In the future, it will be necessary to configure eBGP towards others P routers in other
regions.

8.1.4 PE-Data-Center-1
o Set name of router

o Address each router interface

xviii
 NETWORK CONFIGURATION
o Create area name yaounde_region

o Place ether1 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1 to MPLS

8.1.5 PE-Mbankolo-Tel
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1, ether2 and ether3 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1, ether2 and ether3 to MPLS

8.1.6 PE-Soa-Tel
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1 and ether2 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1 and ether2 to MPLS

8.1.7 PE-Petit-marche-Tel
o Set name of router

xix
 NETWORK CONFIGURATION
o Address each router interface

o Create area name yaounde_region

o Place ether1, ether2, ether3 and ether4 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1, ether2, ether3 and ether4 to MPLS

8.1.8 PE-Data-Center-Siege
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1 to MPLS

8.1.9 PE-Siege
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1, ether5 and ether6 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1, ether5 and ether6 to

o Activate DHCP servers on ether3 and ether4

xx
 NETWORK CONFIGURATION

8.1.10 PE-Internet-Siege
o Set name of router

o Address each router interface

o Create area name yaounde_region

o Place ether1 in OSPF area named yaounde_region

o Activate LDP in this router

o Add ether1 to MPLS

8.1.11 CE-Monitoring-Telephonie
o Set name of router

o Address each router interface

o Set interface ether1 as DHCP client

8.1.12 CE-Siege-Telephonie
o Set name of router

o Address each router interface

o Set interface ether1 as DHCP client

xxi
 NETWORK CONFIGURATION

Figure 1: Telephony Network

8.1.13 Connectique Network

The following architecture is used for the Connectique network. The configurations here are
similar to those of the Telephony but the for the exception that a special TE will be elaborated to
meet the demands of various Connectique clients. Attention should be paid to the differences in
interfaces in equipment that is common to both Telephony and Connectique Network

xxii
 NETWORK CONFIGURATION

Figure 2: Connectique Network

8.1.14 Telephone and Connectique network

The combine network is an amalgamation of the individual configurations of Telephony and
Connectique Networks. The figure below illustrates a view of the combined architecutures.

xxiii
 NETWORK CONFIGURATION

Figure 3: Telephony and Connectique Network

9 Conclusion
This document presents the various manipulations that are to be done on a MikroTik router prior
to proper configuration. We go ahead to elaborate the putting in place of an MPLS network and
some minimum security required for routers and activation of some technologies like DHCP and
NAT. The main objective of this document is to present a methodology that will be used in
elaborate reusable templates for various key routers in the network that’s P, PE and CE
amongst other key actions in the network that will require the use of scripts.

xxiv