Self-Control

MikroTik is a Latvian manufacturer of network equipment whose main audience comprises small Internet service providers (ISPs) and wireless connectivity providers. What makes MikroTik's offerings interesting for home users and administrators of small business networks is that their low-end products offer a lot of features for the money. Deploying a small router from MikroTik feels like deploying consumer-grade hardware loaded with enterprise-grade firmware (Figure 1).

Figure 1: MikroTik equips their low-end SOHO routers with the same firmware they use for their more powerful products. Pictured is a RouterBOARD RB3011UiAS-RM intended for a network rack – clearly not a router designed for home users.

Unplanned IT

I was forced to learn network administration when my university migrated to a digital distribution platform for resources and documentation necessary to follow classes online. The University's plan was built on the premise that every student had a serviceable Internet connection at home; yet, I was stuck with a pitiful one. My ISP provided 3Mbps of symmetric bandwidth in an age in which urban dwellers had access to subscriptions 10 times as powerful. Latency often surpassed one second. Worse yet, I had to share my network connection with house mates that often needed the Internet to fulfill mission-critical tasks, such as delivering medical reports.

You don't learn how to optimize your resources until they are so tight you are forced to do so. When there isn't bandwidth enough for everybody, you need your network to prioritize traffic and understand that the connections from a doctor's computer are more important than the connections from an engineering student and that both are more important than connections to torrent swarms. Additionally, you need the network to filter superfluous traffic. Advertisements and Internet trackers are annoying when you have a good Internet subscription, but when you have a bad one, you can't afford to devote any bandwidth to them.

When you are tight on resources you also benefit from running your own Domain Name System (DNS) and Network Time Protocol (NTP) services in such a way that every client in the network uses your local servers instead of wasting your precious bandwidth contacting the outside world. Sadly, many devices are preconfigured to access external servers for these protocols regardless of the will of the network administrator and are often difficult to configure to act otherwise. In practical terms, this means your network must be able to identify a DNS or NTP query originating from a misbehaving device that is targeting an external server and redirect the connection transparently to your local servers.

By the time an aspiring network administrator has determined what is needed to make the network more usable, it is clear that a router with way more features than those provided by standard routers is needed. Advanced packet filtering and quality of service (QoS) are just not something of which consumer-grade routers are capable.

A friend told me to check on MikroTik [1] routers as a possible solution for my networking needs.

Enter RouterOS

MikroTik's routers come with an operating system called RouterOS, which is nothing but Linux firmware designed for router duty. Its main drawback is that, unlike common Linux distributions, it is not redistributable because it comes with proprietary features [2]. Additionally, RouterOS does not offer traditional shell access for management. Instead of a typical shell such as Bash, administrators are intended to use a proprietary Telnet, SSH, or web interface.

Fortunately, the lack of a standard interface is not a big deal. Once you learn your way around RouterOS, it clearly allows you to leverage the power of its Linux core to fulfill all the usual networking needs, and then more.

One word of warning: MikroTik is designed for network professionals and enthusiasts, so the management interfaces expect you to know how a computer network operates. Some tentative efforts have been made toward making RouterOS more friendly to new users (Figure 2), but at the end of the day, moderate knowledge is necessary.

Figure 2: RouterOS offers a Quick Set menu on its web management interface, which seems to be their idea of making management user friendly.

From the web interface, a traditional router configuration that puts your local area network (LAN) behind a firewalled network address translation (NAT) service can be set up with a couple of clicks. Dynamic Host Configuration Protocol (DHCP), NTP, and DNS servers can be set automatically in such a way that your router will be able to provide all the infrastructure services needed for your network without too much fiddling.

Firewalling

Any administrator with iptables experience will see the similarities between it and the firewall included in RouterOS.

This firewall is capable of stateful packet inspection, limited filtering of peer-to-peer (P2P) protocols, and traffic classification by media access control (MAC) address, protocol options (e.g., ICMP or TCP attributes), and even packet content (Figure 3). Again, management is not intuitive, but it is well documented [3]. Each packet that reaches a given chain of rules will be checked against each rule from top to bottom. If a packet matches a rule, the action bound to that rule will be taken, and no more rules will be processed. If a packet traverses the full chain without matching any rule, the packet is accepted.

Figure 3: Classical firewall configuration for a MikroTik router serving a home network. The fasttrack rule (no. 8) is a clever trick that makes packets from established connections bypass the firewall to reduce the CPU load.

As an example of what the RouterOS firewall can do, I show you how to use it to perform a man-in-the-middle (MITM) interception to force all the DNS traffic from a misbehaving device into a DNS server you control. The rules in Listing 1, as introduced over the SSH management interface, are a good example of rules for MITM against misbehaving DNS queries.

/ip firewall nat chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
/ip firewall nat chain=srcnat action=masquerade protocol=udp src-address=!192.168.1.2 dst-address=192.168.1.2 out-interface=!ether1 dst-port=53
/ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=udp src-address=!192.168.1.2 dst-address=!192.168.1.2 in-interface=!ether1 dst-port=53

The example assumes that your Internet-facing interface is ether1 and that you have a DNS server in your LAN at address 192.168.1.2. The first rule masquerades by NAT any traffic going from the LAN machines to the Internet. The second rule makes it so that DNS traffic coming from a LAN machine and going directly to the DNS server is masqueraded by the router, too. The DNS server itself is excluded from this rule.

The third rule forces any DNS traffic from the LAN directed to the outside world into your DNS server. Again, the DNS server is excluded from this rule to allow it to perform DNS queries. The end result is that any computer on the LAN trying to connect to an outside DNS will connect to your local DNS server instead, and the computer will believe it is actually talking to the external server.

A variant of these rules can be used to force HTTP traffic to web proxies you control, and in fact, I have been using an ad-blocking proxy like the one described in an earlier Linux Magazine article [4] alongside a MikroTik router, wherein the router directs any HTTP traffic that does not use a proxy to a proxy server on my LAN.