Notes on how-to Mikrotik


# Start with a fully updated routerOS and routerBOARD firmware.  Factory reset with no configuration.
# Connect via Winbox neighbor discovery L2 connection, ssh/L3 comes later


# create new administrator user
.1: add new user with full perms
.2: log in with new user, delete admin account


# address WAN interface
.1: edit DHCP client or add static IP, assign to WAN interface
	NOTE: ether1 DHCP client is default enabled on CHR
.2: add/verify default route
.3: add DNS IP
	NOTE: disable DHCP assigned DNS server if configuring manually
.4: update time via cloud for sanity check
	NOTE: not possible with chr free license
	

# create bridge, add interface(s) for LAN
	NOTE: mind spanning tree root bridge priority !!
.1: add IP for management connectivity on LAN, assign to LAN bridge
	

# set system identity
.1: use something from wordlist
	https://del.rf2wan.net/pub/mnemonic_wordlist.txt


# add ca-certs
/tool/fetch url=https://curl.se/ca/cacert.pem
/certificate/import file-name=cacert.pem passphrase=""
	TODO: update ca-certs regularly otherwise DoH will eventually fail !!

# enable DoH
.1: add static entry for mozilla.cloudflare-dns.com to 1.1.1.1
.2: Enter into "use doh server" field:
	https://mozilla.cloudflare-dns.com/dns-query
.3: dissable DNS checkbox from WAN DHCP client
	TODO: add rules to block Windows wpad queries from passing upstream


# NTP client
.1: Add servers from:
	https://tf.nist.gov/tf-cgi/servers.cgi
.2: cloud > disable update time checkbox


# interface list and neighbor discovery
.1: create mgmt interface list
.2: add LAN bridge to list
.3: restrict discovery to list


# disable IP services list
.1: disable unused services
.2: restrict to mgmt subnet


# disable IPv6 unless v6 wizard
.1: disable checkbox
.2: disable Neighbor Discovery
TODO: firewall drop all


# system clock
.1: disable autodetect checkbox
.2: set to UTC because duh


# disable tools
.1: bwtest server
.2: mac telnet server > none
.3: mac winbox server > mgmt list
.4: mac ping server > disable checkbox


# misc housekeeping
.1: rename wireless interfaces 2/5ghz
.2: DHCP/IGMP snooping > set trusted interface for DHCP !!
.3: enable RoMON if you're into that > restrict to trusted ports
.4: wireguard == very yes
.5: firewall src nat WAN interface masquerade allow



# policy based routing example

0   ;;; Mark packets received from LTE
     chain=input action=mark-connection new-connection-mark=from-lte
     passthrough=yes in-interface=ether2-lan
     src-mac-address=24:65:11:xx:xx:xx connection-mark=no-mark

 1   ;;; Mark response packets to be sent via LTE
     chain=output action=mark-routing new-routing-mark=lte-route
     passthrough=yes connection-mark=from-lte