08-mikrotik-router.md at 0580cf7cd8e1e670dba9e3bc660523f9c1f7abf4 · dunkirk.sh/ncae-tools

dunkirk.sh / ncae-tools
this repo has no description
ncae-tools / 08-mikrotik-router.md
at 0580cf7cd8e1e670dba9e3bc660523f9c1f7abf4 6.9 kB view raw view rendered
  1# MikroTik Router Configuration
  2
  3## Overview
  4Starting 2025, the NCAE competition replaced CentOS routers with MikroTik routers. MikroTik provides both a CLI and web GUI for configuration.
  5
  6## Why MikroTik?
  7- CentOS is end-of-life
  8- MikroTik is a commercial router OS used in real networks
  9- Provides both CLI and web interface
 10- More intuitive than raw iptables
 11
 12## Access Methods
 13
 14### CLI Access (Console/Terminal)
 15- Through ProxMox VNC console
 16- Direct terminal access
 17- No browser required
 18
 19### Web GUI Access
 20```
 21http://<router-ip>:8080
 22```
 23
 24**Example**: `http://172.20.213.1:8080` (from external side)
 25
 26**Port 8080** is the management interface, not the standard web port.
 27
 28## Initial Login
 29
 30### Default Credentials
 31- **Username**: `admin`
 32- **Password**: (blank - just press Enter)
 33
 34### First Login
 351. Login with blank password
 362. System will prompt you to set a new password
 373. **IMPORTANT**: Choose a strong password for competition
 38   - For testing/practice: can use something simple like `password`
 39   - For competition: red team will own you with weak passwords
 40
 41### License Prompt
 42- Will ask if you want to view license
 43- Can say "no" unless interested
 44
 45## Basic CLI Commands
 46
 47### Check IP Addresses
 48```bash
 49/ip address print
 50```
 51
 52Shows all configured IP addresses on all interfaces.
 53
 54### Check Interfaces (Hardware)
 55```bash
 56interface print
 57```
 58
 59Shows network adapters:
 60- `ether3` = First interface (usually external)
 61- `ether4` = Second interface (usually internal)
 62- Names may vary depending on hardware/cloning
 63
 64### Assign an IP Address
 65```bash
 66/ip address add address=172.20.213.1/16 interface=ether3
 67```
 68
 69**Breakdown**:
 70- `address=` - IP and subnet mask in CIDR notation
 71- `interface=` - Which network adapter (ether3, ether4, etc.)
 72
 73**Example for internal side**:
 74```bash
 75/ip address add address=192.168.213.1/24 interface=ether4
 76```
 77
 78### Test Connectivity
 79```bash
 80/ping 172.20.2
 81/ping 192.168.213.2
 82```
 83
 84**Keyboard shortcuts**:
 85- Up/Down arrows = Command history
 86- Ctrl+C = Stop ping
 87
 88### Check Configuration
 89Use the print command for any section:
 90```bash
 91/ip address print
 92/ip route print
 93/ip firewall nat print
 94```
 95
 96## Web GUI Configuration
 97
 98### Accessing the GUI
 99
100From external network:
101```
102http://172.20.213.1:8080
103```
104
105Login: `admin` / `<your-password>`
106
107### GUI Navigation
108
109**Top-right buttons**:
110- **Quick Set** - Main configuration page (most common tasks)
111- **Advanced** - Detailed/expert settings
112- **Terminal** - CLI access from web browser
113
114**Most tasks can be done from Quick Set.**
115
116### Quick Set Configuration
117
118**Scrolling tips**:
119- Mouse wheel only works when cursor is in the CENTER of the page
120- If scrolling doesn't work, move mouse to the left side
121- Scroll bar appears in the middle column
122
123#### Internet/External Configuration
124
125**Gateway** (where traffic goes to reach internet):
126```
127172.20.1.1              # Or whatever your competition topology specifies
128```
129
130**DNS Servers**:
131- Click the `+` button to add DNS servers
132- Add all DNS servers from your topology document
133
134#### LAN/Internal Configuration
135
136Should show your configured internal IP:
137```
138192.168.213.1/24
139```
140
141#### Critical Checkboxes
142
143✅ **Bridge LAN Ports** - Check this
144- Allows multiple LAN ports to work as one network
145
146✅ **Enable NAT** - Check this  
147- **Network Address Translation**
148- Allows internal 192.168.x.x addresses to route through external 172.20.x.x
149- **Required for routing to work**
150
151#### Apply Changes
152
153Click **Apply Configuration** button at bottom.
154
155Changes apply immediately - you'll see a "Saved" notification in the bottom-right.
156
157### Port Forwarding (Port Mapping)
158
159**Purpose**: Route external traffic to internal servers
160
161**Example**: Route external HTTP requests to internal web server
162
1631. Click **Port Mapping** (in Quick Set view)
164
1652. Click **New** button
166
1673. Configure the rule:
168
169**TCP Rule**:
170```
171Name:        www-tcp
172Protocol:    TCP
173Port:        80
174Forward To:  192.168.213.2
175Port:        80
176```
177
178**UDP Rule**:
179```
180Name:        www-udp  
181Protocol:    UDP
182Port:        80
183Forward To:  192.168.213.2
184Port:        80
185```
186
1874. Click **OK** to save each rule
188
189### Testing Port Forwarding
190
191From external machine:
192```
193http://172.20.213.1
194```
195
196Should display website hosted on 192.168.213.2 (internal server).
197
198## Mini-Hack Context
199
200### External Network
201```
202Network: 172.20.0.0/16
203Router IP: 172.20.213.1        (example team 213)
204Kali External: 172.20.2
205```
206
207### Internal Network  
208```
209Network: 192.168.213.0/24      (team number in 3rd octet)
210Router IP: 192.168.213.1
211Web Server: 192.168.213.2
212Kali Internal: 192.168.213.100
213```
214
215### Required Configuration
216
2171. **Assign external IP**: `172.20.<team>.1/16` to ether3
2182. **Assign internal IP**: `192.168.<team>.1/24` to ether4
2193. **Enable NAT** in Quick Set
2204. **Port forward 80** (TCP & UDP) to internal web server at `.2`
221
222## Common Issues
223
224### Can't access web GUI
225- Verify router IP is correct
226- Must use port 8080: `http://<ip>:8080`
227- Check you're on the same network as router
228
229### Port forwarding not working
230- Did you enable NAT? (checkbox in Quick Set)
231- Did you create BOTH TCP and UDP rules?
232- Verify internal server is actually running the service
233- Check internal server IP is correct
234
235### Changes not saving
236- Look for "Saved" notification bottom-right
237- If using Quick Set, click "Apply Configuration"
238- Changes are immediate (no reboot needed)
239
240## CLI vs Web GUI
241
242**Use CLI for**:
243- Quick IP configuration
244- Checking current status
245- When GUI is not accessible
246
247**Use Web GUI for**:
248- Port forwarding / NAT rules
249- Complex firewall rules
250- Overview of configuration
251- When you want visual confirmation
252
253Both methods work and changes sync between them.
254
255## Advanced Topics (Beyond Basics)
256
257**Firewall Rules** - More complex than just port forwarding
258- Can create allow/deny rules
259- Similar concept to UFW but different syntax
260
261**DHCP Server** - Assign IPs to internal network automatically
262- Not needed for mini-hack (static IPs used)
263
264**Routing Tables** - Custom routes
265- Can add static routes for complex topologies
266
267**VLANs** - Virtual network segmentation
268- Competition may use in advanced scenarios
269
270These are covered in MikroTik documentation but not required for basic mini-hack completion.
271
272## Competition Day Checklist
273
2741. ✅ Login and set a **strong** password
2752. ✅ Assign external IP address to ether3
2763. ✅ Assign internal IP address to ether4  
2774. ✅ Configure gateway (from topology doc)
2785. ✅ Add DNS servers (from topology doc)
2796. ✅ Enable NAT checkbox
2807. ✅ Create port forwarding rules for required services
2818. ✅ Test connectivity from external network
282
283## Resources
284
285**Official Documentation**:
286- [MikroTik Wiki](https://wiki.mikrotik.com/)
287- [Getting Started Guide](https://wiki.mikrotik.com/wiki/Manual:First_time_startup)
288
289**Search Tips**:
290- "mikrotik quick set"
291- "mikrotik port forwarding"
292- "mikrotik NAT configuration"
293
294Most common tasks are well-documented with examples.