Moving to MikroTik as a Home Router
I finally got some time to retire my venerable Netgear WNR3500Lv2 soap-box router. It worked perfectly, and still works. I guess I will find some use for it eventually.
The new beast is Mikrotik RB951G-2HnD. I liked it when I got it, but I was afraid I won’t be able it to configure it for my needs just as easily as it was with the Netgear thing and previous DD-Wrt boxes. So MikroTik was collecting dust for more than half a year. Now, as I finally managed to do it, it turned out I was right — for an n00b like me getting the damn thing to work required almost two days.
Most problems were related to firewall, NAT and port forwarding. Me, being a n00b, was stupid enough to set up a bunch of VMs in the past. And now many of them require certain ports to be accessible from outside. And inside. Having both worlds is the tricky part. A careful rewriting of source address, destination address, masquerading, and filtering based on which interface a packet has arrived finally got me what I wanted.
Setting L2TP working with my provider was also non-trivial, but searching the Net offered an answer pretty quickly. Securing the thing so that router management facilities are not exposed on external interfaces also was described somewhere.
Compared to that, static DHCP leases for VMs was an easy part. As a bonus, I was able to clean up unused port bindings, understand what VMs are still there and what have been dead for a while, etc.
Some useful links I found on the Net which helped me to finally figure this thing out:
- http://superuser.com/a/663952
- http://forum.mikrotik.com/viewtopic.php?t=34245
- http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router#NAT
- http://homenet.beeline.ru/index.php?showtopic=252615&st=180&p=1065169593&#entry1065169593 - on L2TP troubles
- http://spw.ru/solutions/nastrojka_fajrvolla_na_mikrotik_chast_2/ - on securing the thing
- http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
- http://wiki.mikrotik.com/wiki/Hairpin_NAT - this is how the abomination I was creating is called by networking people. A hairpin is a U-shaped fixture for hair, obviously.
All that said, the MikroTik ecosystem actually looks great. The Winbox management application is really powerful, and it works under Wine all right. The best thing is that commands from console are reflected in GUI immediately, and most of the time it is possible to correlate which CLI options match which GUI elements after that. The log system is also awesome for debugging, as it allows to selectively choose which event are shown and what tags they are prepended with.
Console command-line interface actually makes sense. It differs from Unix shell customs, and that is a very good thing in fact.