21 May

How to reach PPPoE bridge from Mikrotik

When using a Mikrotik router (or any other decent home router) as your PPPoE client, it’s good to be able to keep access to the ADSL/VDSL modem in-line to allow diagnostics, additional configuration etc. To avoid a situation where the router is essentially double-NATing all the packets going across the WAN link, the ideal setup is a secondary IP address on the router’s WAN interface, that is handled separately.

Below is a crude drawing of my home setup. The Draytek Vigor 130 is acting as a VDSL modem, bridging the PPPoE connection across to the Mikrotik¬†RB2011UAS-2HnD-IN which is ‘dialing’ the PPPoE connection back to my ISP. The ISP dishes out an IP address which lands directly on the router, passing through the Draytek. On the LAN side of the router, is a pretty boring DHCP subnet (with DNS setup as mentioned here).

To setup the router/modem to allow access to both (without unplugging the router to get back to the modem) – you can do the following:

First, add an IP address to the modem:

Now, add the corresponding interface on the Mikrotik (access via SSH, note below is only 2 lines of config):

This will add the other end of the /30 network to the ether1-gateway (physical) interface on the Mikrotik router.

Now, all we need to do is tell the router that it’s OK to NAT on that address, on that interface:

If all went to plan, you should be able to ping from your Mikrotik:

All done, now you can browse to both the router IP for GUI config, and get to the VDSL modem’s config page as well.

Help on this one came from the DD-WRT wiki.

21 May

Mikrotik Firewall – For Home Users

Mikrotik make routers that are affordable enough for the home user market, but are quite powerful and come without too many training wheels. I’m using the RB2011UAS-2HnD-IN as a home router, wireless AP and firewall. It’s powerful and configurable enough to do pretty much anything I’ve thrown at it – but out of the box it’s probably a bit too open to attacks from randos.

Here’s a firewall script I’ve deployed on the home gateway, with the following parameters

Home LAN Subnet –
Home LAN Gateway –

This firewall script can be used to somewhat lockdown access to your router/home LAN without too much struggle. It’s probably missing a few bits and pieces, but seems to have put and end to hackers trying to brute-force root access via SSH over the internet – so far.

21 May

Unblock-US and Mikrotik RB2011UAS-2HnD-IN

If you live somewhere out of the way, like New Zealand, sometimes it pays to use a DNS-proxying service like Unblock-US. Reasons for this are circumventing some draconian geo-blocking rules, but I won’t go into that here.

Anyway – if you want to setup your Mikrotik router to use DNS addresses other than your ISPs provided ones (and make use of the DNS cache offered by the router) – follow these steps:

First, SSH into your router (something like admin@routerIP). I use Putty to do this in Windows. Then enter the following lines:

That adds the 3 Unblock-US DNS addresses they specify to be the router’s DNS servers. You can check it worked by the following command:

Now, the DNS is set, but nothing on your home LAN is going to be interested until you either statically point each device to use the DNS address of your router ( by default), or tell the router’s DHCP server where to get its DNS info from. The latter is the most elegant option. Do it by:

Here, we go into the DHCP server config and set up a DHCP pool on the local bridged interfaces (the locally connected devices, including wifi hosts). Then, we tell the DHCP server to use the router’s IP as its DNS source. Quite often this is already set by default.

Now, you can browse around a bit, using the Unblock-US DNS servers to get to where you want to go. You can check on the DNS Cache by entering:

It should have a few hundred entries after a minute or so of cruising around the internet.

The final (and crucial) step, is to disable ‘Peer DNS’ on your WAN interface. I did this by disabling the option on my pppoe-out1 interface

Some info from here.