May 19, 2006

Test-driving RouterOS 2.9

Author: Mikael Vingaard

Would you like to have a Linux-based router capable of doing tasks such as stateful firewall inspection, virtual private networking, and traffic shaping, in addition to packet routing? Tired of having to do administration from the command line but want to be able to administer your box from a Windows-based client PC? MikroTik's RouterOS may what you need.

You can boot RouterOS via diskette, CD, or over the network via PXE or Etherboot-enabled network interface card. You can find a full list of RouterOS technical specifications at the homepage.

I installed the 13MB ISO CD image RouterOS v2.9.23 on a old Compaq Proliant 400 (450MHz, 128MB RAM, 20GB hard disk). The software's minimum configuration is a 100MHz Pentium, 64MB RAM, and 64MB storage. When I booted the PC, I found a list of available packages for RouterOS, including the packages to use DHCP and PPTP servers, Web proxy, and much more. You can select individual packages, all available packages, or the minimum required packages. To see the full range of what RouterOS was capable of, I selected all. After a last warning about the data on the disk being erased, the software is installed.

After a mandatory reboot, the machine displays the MikroTik welcome screen. You can use the default username "admin" with no password to log in to a command prompt. To see a list of available commands, type a question mark and press Enter.

The first thing you want to do is change the default password, which you can do with the command /password. The next step is to configure the router's networking information with the command /setup, which walks you through the process via on-screen instructions. In addition to specifying your IP address and default gateway, you can also set up things such as DHCP scope and PPTP clients.

After a successful setup, you can access the router via SSH (default port 22) or telnet. (For security purposes, however, avoid telnet, because with telnet, usernames and passwords are sent over the network in clear text.)

If you would like a more user-friendly interface than the command line, RouterOS offers WinBox, a nice remote configuration GUI for Windows, which make administration of the router a breeze. With it, you can do real-time configuration and system monitoring, create user policies, and review actions in a GUI rather than on the command line. To get WinBox, connect to the router's IP address with a Web browser and follow the link to download winbox.exe. WinBox uses by default TCP port 8291. You can also connect to a router via its MAC addresses.

Testdriving RouterOS

When I had everything is up and running, I began testing RouterOS by creating a PPTP (Point-to-Point Tunneling Protocol) VPN. This is easy to do in WinBox, but let's try it via the command line. First, I enabled the PPTP VPN server with the command interface pptp-server server set enabled=yes . Next, I created a user "sale1" with password "profit," specifying the laptop client's IP address as 192.168.7.2 and the PPTP server's interface as 192.168.7.250: ppp secret add name=sale1 service=pptp password=profit local-address=192.168.7.250 remote-address=192.168.7.2

One last thing to do is add a name to the user, so that when you're monitoring the VPN server, sale1 shows in the stats as Roadwarrior, this may be useful for internal
billing: add name=Roadwarrior user=sale1

A PPTP VPN is not as secure as an IPSEC VPN, which is based on certificates issued by a trusted authority. However, certificates are more expensive that the PPTP solution. One compromise is to use self-signed certificates, in which you, rather that a trusted third party, sign the certificates. If you prefer an IPSEC solution, RouterOS can do that as well.

To use RouterOS as a wireless gateway, you need two network cards on the server -- one to connect to the WAN, and one wireless. I configured a new wireless interface using the /setup command, then configured it to act as a DHCP server, providing IP addresses 192.168.8.10 and 192.168.8.99 for my wireless users, with the commands:

/ip pool add name=dhcp-pool ranges=192.168.8.10-192.168.8.99
/ip dhcp-server network add address=192.168.8.0/24 gateway=192.168.8.1
/ip dhcp-server add interface=wifi address-pool=dhcp-pool

To put the gateway on the Wi-Fi interface, using the same IP address pool as the DHCP server and adding a user named "wireless" with the password "testing," I ran the command:

/ip hotspot add interface=wifi address-pool=dhcp-pool-1 /ip hotspot user
add name=wireless password=testing

Pricing and licensing

RouterOS licensing schemes include six different levels. According to the Web site can you use a "demo key" that leaves all the software's features enabled without registration for 24 hours. During this period you must get a valid key, or you will need to reinstall RouterOS. The software displays a countdown timer during the evaluation period.

After the evaluation period, you must decide your requirements. You may get a free license key simply by registering as a user on the Web site. A free license lets you enable only one PPTP tunnel and supports only one VLAN interface. This is fine for most individuals, but system administrators will probably opt for one of the commercial licenses, with more VPN tunnels and VLAN interfaces. Even the most expensive license costs less than $300.

Some of the licenses let you use RouterOS as a wireless access point/router. One drawback, however, is that a junior admin migth be foolish and use telnet rather than SSH. I suggest disabling the telnet server, which you can do in the WinBox GUI or via the command /ip service telnet disable.

Conclusions

RouterOS is a good option for small companies with a restricted budget. Thanks to the WinBox application even a novice Linux administrator can make good use of the firewall and set up a VPN.

With some Linux knowledge you will be able to use many options familiar to Cisco router users, such as the Virtual Router Redundancy Protocol for clustering several routers.