Experience of using Mikrotik CHR for virtual routing

In the article I shall result result of the decision of a problem on the organization of routing between virtual machines on VMware with use MikroTik CHR, and with the organization of access on VPN to virtual machines from an external network.


We define the initial problem:
In the presence of a server with a memory capacity of 96 GB, 24 CPUs and 22 TB of disk space
Two lines are connected to the server:
one serves to manage and manage VMware;
with the second come two VLANs - one for access to the internal network of the organization and with access to the Internet, from the second come real addresses.
In order to no longer use the organization's address space, you need to define your own address space within the server for a resource of 3 virtual machines and close the resource to access other resources from 3 machines.
It is necessary to block traffic from virtual machines, which does not go to a proxy organization.
Each resource of the three virtual machines is designed for one person, it also needs to be granted access to work from home.
The server is VMware ESXi ? MikroTik CHR ???r3r364 will be used for routing.  

Configuring VMware

As already defined, two VLANs come to the server, one will serve for access of virtual machines to the organization's network and Internet access through the organization's proxy, the second one is necessary for having a real address and access to virtual machines from outside.
By means of VMware on the virtual switch we will create separate interfaces:
Experience of using Mikrotik CHR for virtual routing
Each interface created is tied to a virtual machine with MikroTik CHR and to 3 virtual machines from the pool. For example, for machines with the identifier Student # ? the virtual interface of VM Vlan 25 is assigned.
As a result, we get the following setting for the virtual machine with MikroTik CHR:

As you can see the interface
for access to the internal network and
for the real address.

Setting up MikroTik CHR

Initially, we will define understandable interface names and give comments for understanding which interface to which virtual machines pool is intended.
Part of the configuration of interfaces [/b]
/interface ethernet
set[find default-name=ether1 ]comment = "VLAN ID 111 Uplink to Company" name =
set[find default-name=ether4 ]comment = "Interface VM Vlan 12 for Student # 1"
name = Int_VM_Vlan12
set[find default-name=ether6 ]comment = "Interface VM Vlan 14 for Student # 3"
name = Int_VM_Vlan14
set[find default-name=ether7 ]comment = "Interface VM Vlan 15 for Student # 4"
name = Int_VM_Vlan15
set[find default-name=ether8 ]comment = "Interface VM Vlan 16 for Student # 5"
name = Int_VM_Vlan16
set[find default-name=ether2 ]comment = "Interface Vlan 1111 Real_Outside"
name = Real_Outside


Each interface will be assigned an IP address, including an interface that will have a real address.

IP addresses of interfaces [/b]
    /ip address
add address = *. *. *. * /27 interface = Class8_509_VM network = *. *. *. *
add address = ???.1 /29 interface = Int_VM_Vlan11 network = ???.0
add address = ???.1 /29 interface = Int_VM_Vlan12 network = ???.0
add address = ???.1 /29 interface = Int_VM_Vlan13 network = ???.0
add address = *. *. *. * /27 interface = Real_Outside network = *. *. *. *


Define a set of networks. In each pool of machines on one virtual machine, Windows Server 2012 is installed on which AD and DNS are configured, so for each network, the IP address of this virtual machine will act as DNS.

Networks [/b]
    /ip dhcp-server network
add address = ???.0 /29 dns-server = ???.4 gateway = ???.1
add address = ???.0 /29 dns-server = ???.5 gateway = ???.1
add address = ???.0 /29 dns-server = ???.5 gateway = ???.1


For each interface, we define an address pool that will be issued by the DHCP server and activate Add ARP For Leases . This prevents the IP address from being assigned to the virtual machine.

Add ARP For Leases - Creates a MAC-IP mapping in the ARP table for clients who have leased from DHCP and allows you to organize MAC filtering with the IP /ARP on a microphone.

Since it is necessary to provide access to virtual machines from the Internet, we will immediately prepare an address pool for clients when they are connected via L2TP /IPsec.

DHCP server [/b]
    /ip pool
add name = dhcp_pool_for_vm_vlan11 ranges = ???.2-???.6
add name = dhcp_pool_for_vm_vlan12 ranges = ???.2-???.6
add name = dhcp_pool_for_vm_vlan13 ranges = ???.2-???.6
# Address pool for l2tp
add name = student1_l2tp_pool ranges = ???.2-???.4
add name = student2_l2tp_pool ranges = ???.2-???.4
add name = student3_l2tp_pool ranges = ???.2-???.4
/ip dhcp-server
add add-arp = yes address-pool = dhcp_pool_for_vm_vlan11 disabled = no interface =
Int_VM_Vlan11 lease-time = 1h name = dhcp_for_vm_vlan11
add add-arp = yes address-pool = dhcp_pool_for_vm_vlan12 disabled = no interface =
Int_VM_Vlan12 lease-time = 1h name = dhcp_for_vm_vlan12
add add-arp = yes address-pool = dhcp_pool_for_vm_vlan13 disabled = no interface =
Int_VM_Vlan13 lease-time = 1h name = dhcp_for_vm_vlan13


In the new versions of RouterOS, it is possible to create lists, so we integrate all local interfaces into one list to facilitate the configuration of the firewall.

Interface List [/b]
    /interface list member
add interface = Int_VM_Vlan11 list = local_vm
add interface = Int_VM_Vlan12 list = local_vm
add interface = Int_VM_Vlan13 list = local_vm


Define the list of IP addresses of the proxy and in the firewall rules, we indicate that traffic from all local interfaces, if it does not go to the addresses of the proxy, will be blocked. Immediately specify the rule to disable ICMP and block traffic between local interfaces.

Firewall rules [/b]
    /ip firewall address-list
add address = ???.3 list = Proxy
add address = ???.1 list = Proxy
add address = ???.5 list = Proxy
add address = ???.7 list = Proxy
/ip firewall filter
add action = drop chain = forward comment = "Block If Not Proxy Address"
dst-address-list =! Proxy in-interface-list = local_vm
add action = drop chain = input comment = "Block ping"
in-interface-list = local_vm protocol = icmp
add action = drop chain = forward comment = "Block ping between interface"
in-interface-list = local_vm out-interface-list = local_vm


We also define NAT, in which all traffic from local addresses will be exited through an interface that looks at the organization's network.


Setting MikroTik CHR: L2TP /IPsec


To organize access from an external network, activate the L2TP server and create for each user its credentials and its own interface. Each user can create only one connection at a time. Since, some users use Windows 1? in the security settings in addition activate the 3DES encryption algorithm.
In the firewall settings, we specify that each user can only access his network (on a specific local interface) on specific ports (RPD and SSH) and block any other traffic. Additionally, we allow access for l2tp from the interface that has a real address.
To ease the load on the organization's network, for each user we will make a speed limit.
As a result, we get the following settings, I will give some settings for one user.

L2TP [/b]
    /interface l2tp-server
add comment = "Interface L2TP for Student # 1" name = int_l2tp_student1 user = student1
/ppp profile
add change-tcp-mss = yes comment = "Student1 Profile for L2TP, Rate Limits 3M /3M"
local-address = ???.1 name = student1_l2tp_profile only-one = yes rate-limit =
3M /3M remote-address = student1_l2tp_pool use-compression = yes use-encryption =
required use-upnp = no
/ip firewall filter
add action = accept chain = input in-interface = Real_Outside port = 170?50?5000
protocol = udp
add action = accept chain = input in-interface = Real_Outside protocol = ipsec-esp
# Access from l2tp only to a specific local interface
add action = accept chain = forward comment = "Student # 1 L2TP to Vlan 12"
in-interface = int_l2tp_student1 out-interface = Int_VM_Vlan12 port = ???r3r3411. protocol = tcp
add action = accept chain = forward in-interface = Int_VM_Vlan12 out-interface =
add action = drop chain = forward in-interface = int_l2tp_student1
/ppp secret
add comment = "Student1 Auth Data" name = student1 password = ******** profile =
student1_l2tp_profile service = l2tp


In addition to configuring the connection on the client's home machine, the client additionally registers the route to the network allowed to it, however, thanks to the rules of the firewall, if the client has indicated the route not to its network, then it will not be able to access the virtual machines of the specified network.


Marking traffic


Since we have two Internet connections, we need incoming traffic to be sent correctly back through the desired interface. Therefore, we use the capabilities of Mikrotik in traffic marking.

Marking traffic [/b]
    /ip firewall mangle
add action = mark-connection chain = input comment = "Mangle Real_Outside traffic"
in-interface = Real_Outside new-connection-mark = realOutMark passthrough = yes
add action = mark-connection chain = input comment = "Mangle Class8_509_VM Traffic"
in-interface = Class8_509_VM new-connection-mark = classVmMark passthrough = yes
add action = mark-routing chain = output comment = "Rout out Real_Outside"
connection-mark = realOutMark new-routing-mark = routReakOut passthrough = no
add action = mark-routing chain = output comment = "Rout out Class8-509 VM"
connection-mark = classVmMark new-routing-mark = routClass8-509VM passthrough =
/ip route
add distance = 1 gateway = ???.161 routing-mark = routReakOut
add distance = 1 gateway = ???.30 routing-mark = routClass8-509VM
add check-gateway = ping distance = 1 gateway = Class8_509_VM


SSH block list


Since our MikroTik has a real address,then there are attempts to select a password from the Internet via the SSH protocol, so in the firewall we will add a number of rules for blocking such IP addresses.

SSH block [/b]
    add action = drop chain = input comment = "drop ssh brute forcers" dst-port = 22
protocol = tcp src-address-list = ssh_blacklist
add action = add-src-to-address-list-address-list = ssh_blacklist
address-list-timeout = 14w2d chain = input connection-state = new dst-port = 22
protocol = tcp
add action = add-src-to-address-list address-list = ssh_stage3
address-list-timeout = 10m chain = input connection-state = new dst-port = 22
protocol = tcp
add action = add-src-to-address-list-address-list = ssh_stage2
address-list-timeout = 10m chain = input connection-state = new dst-port = 22
protocol = tcp
add action = add-src-to-address-list address-list = ssh_stage1
address-list-timeout = 10m chain = input connection-state = new dst-port = 22
protocol = tcp
add action = drop chain = forward comment = "drop ssh brute downstream" dst-port = 22
protocol = tcp

At the time of this article, there were about 400 addresses in the lock lists.


As a result, we get an adjusted virtual mikrotik on the output, which performs traffic routing, provides the ability to connect from the Internet via l2tp /ipsec and has firewall settings for distinguishing users and interfaces.
+ 0 -

Comments 4

Becky 13 September 2018 13:14
Im surprised that with every network technology you guys have you have nothing in comparision to dissertation writing service at all, like why is that? You should have looked into this if you ask me !
Karl Johnson
Karl Johnson 8 October 2018 09:14
Experience of using Mikrotik CHR for virtual routing is always a good experience for the writers. As a writer of different professional paper writing service projects i will share this blog. So more people will know about it.
Owael 15 October 2018 06:49
Trim is a decent calling for each one yet in young guardians should focus on children instruction not at other's exercises. In any case, if child's are great in my assignment help reviews work or in concentrate then they should picked any petitioned for their future calling.
Jane 14 January 2019 05:30
This post shows nice details. I like the way you analyze issues windows 10 application. 

Add comment