When I began replacing my Unifi switches with MikroTik — I was very impressed with the MikroTik devices. So when I found a CCR1009-7G-1C-1S Core router, second hand, for a reasonable price — there was no reason not to buy it.
RouterOS seemed daunting at first; so I watched a lot of YouTube videos from The Network Berg, which increased my confidence 🙂
Table of contents
I’m planning to do major changes to my home network, but I want to do it in steps — not all at once. So I simply placed the CCR in front of my current EdgeRouter and forwarded all ports. This meant that no changes was required on the EdgeRouter, it just got a new WAN IP 👍
Then; when I’m good and ready, I can start to build my new network, one subnet at the time, transferring them from the EdgeRouter to the CCR.
I started by resetting the current configuration on the CCR, it doesn’t have any defaults so that left me with a blank slate.
I mostly used WinBox, but it can also be done in the terminal. The commands below were exported using the terminal command:
/export hide-sensitive file=initial-config
First I set descriptions on the interfaces I was going to use:
/interface ethernet set [ find default-name=combo1 ] comment=WAN set [ find default-name=ether2 ] comment=Edgerouter
Then I created a DHCP client on
/ip dhcp-client add disabled=no interface=combo1
And set a static LAN IP on
/ip address add address=10.0.0.1/30 interface=ether2 network=10.0.0.0
10.0.0.0/30only has two usable addresses,
10.0.0.0is the network address and
10.0.0.4is the broadcast address.
Then I created a DHCP server on
ether2. There is a wizard in the graphical interface, or using
ip dhcp-server setup in the terminal.
This was the result of the created DHCP server:
/ip pool add name=dhcp_pool0 ranges=10.0.0.2 /ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=ether2 name=dhcp1 /ip dhcp-server network add address=10.0.0.0/30 gateway=10.0.0.1
I allowed remote DNS requests, although I’m probably going to something like Pi-Hole for that:
/ip dns set allow-remote-requests=yes
Next I added some firewall rules, these are pretty basic:
add action=tarpit chain=input dst-port=22 in-interface=combo1 protocol=tcp \ src-port="" add action=tarpit chain=forward dst-port=22 in-interface=combo1 protocol=tcp add action=accept chain=input connection-state=established,related \ in-interface=combo1 add action=drop chain=input in-interface=combo1 add action=accept chain=forward comment="Allow established/related" \ connection-state=established,related in-interface=combo1 add action=accept chain=forward in-interface=combo1 add action=reject chain=forward comment="Default drop" connection-state="" \ in-interface=combo1 reject-with=icmp-network-unreachable
The firewall has three chains:
forward: traffic through the router
input: destination is router address
output: traffic originating/leaving router
So what is happening here?
- Port 22/tcp is tarpitted on the input and forward chain of the
- Established and related connections are accepted on the input chain of the
- All requests on the input chain of the
combo1interface is dropped.
- Established and related connections are accepted on the forward chain of the
- All requests are accepted on the forward chain of the
- The default rule is to reject on the forward chain of the
Next I added NAT rules:
/ip firewall nat add action=masquerade chain=srcnat comment=Hairpin/reflection dst-address=\ 10.0.0.0/30 src-address=10.0.0.0/30 add action=masquerade chain=srcnat out-interface=combo1 add action=dst-nat chain=dstnat in-interface=combo1 to-addresses=10.0.0.2 add action=dst-nat chain=dstnat dst-address=MY.WAN.IP.ADR to-addresses=\ 10.0.0.2
So what is happening here?
- Traffic from the LAN, going to the LAN, is masqueraded. This is NAT hairpinning, reflection, or loopback. This rule needs to be first.
- Masquerade traffic leaving the
combo1interface. We need this for our private IPs to be replaced with the WAN IP when leaving the router, so that a response can be routed back to us.
- All traffic received on the
combo1interface is forwarded to
10.0.0.2, which is the EdgeRouter.
- All traffic going to my WAN IP is forwarded to
10.0.0.2, which again is the EdgeRouter. This makes it possible to use the WAN IP locally — part of NAT hairpinning.
I then plugged internet in
combo 1 and the WAN port on my EdgeRouter in
The CCR got an IP from my ISP, and the EdgeRouter got an IP from the CCR. I was in business! 😃
Next I’m planning to ditch the ISP fiber box, plugging the fiber straight into the CCR. And start creating and migrating subnets. Once it’s all been moved off the EdgeRouter; it can be retired.